【OOB】MSHTML!CPaste­Command::Convert­Bitmapto­Png heap-based buffer overflow学习

IE 11 MSHTML!CPaste­Command::Convert­Bitmapto­Png heap-based buffer overflow学习

MS14-056, CVE-2014-4138

Time-line

8 May 2014: This vulnerability was submitted to ZDI.
9 June 2014: This vulnerability was acquired by ZDI.
23 June 2014: This vulnerability was disclosed to Microsoft by ZDI.
14 October 2014: This vulnerability was address by Microsoft in MS14-056.
21 December 2016: Details of this vulnerability are released.

越界访问漏洞
版本:Microsoft Internet Explorer 11.0.9600.16521

概述

图片被粘贴到IE11中,会把BMP格式转换成PNG格式,MSHTML!CPaste­Command::Convert­Bitmapto­Png函数执行这个操作。
这个函数使用BMP图片的大小来储存转换好的PNG图片,如果转换后的PNG大于BMP则会发生溢出

CPaste­Command::Convert­Bitmapto­Png 伪代码

  函数原型
    Convert­Bitmapto­Png(
      [IN] VOID* po­Bitmap, 
      UINT u­Bitmap­Size,
      [OUT] VOID** ppo­Png­Image, 
      UINT* pu­Png­Image­Size
    ) 
    
    {
      // BMP到PNG的转换
      CMem­Stm* po­CMem­Stm;
      IWICStream* po­Wic­Bitmap;
      STATSTG o­Stat­Stg;
      TSmart­Array<unsigned char> po­Png­Image;
      UINT u­Read­Size;
      // Create a CMem­Stm for the PNG image.
      Create­Stream­On­HGlobal(NULL, True, po­CMem­Stm);
      // Create an IWICStream from the BMP image.
      Initialize­From­Memory(po­Bit­Map, u­Bitmap­Size,
          &GUID_­Container­Format­Bmp, &po­Wic­Bitmap)));
      // Write BMP image in IWICStream to PNG image in CMem­Stm
      Write­Wic­Bitmap­To­Stream(po­Wic­Bitmap, &GUID_­Container­Format­Png, po­CMem­Stm);
      // Get size of PNG image in CMem­Stm and save it to the output variable.
      o­CMem­Stm->Stat(&o­Stat­Stg, 0);
      *pu­Png­Image­Size = o­Stat­Stg.cb­Size.Low­Part;
      // Allocate memory for the PNG
      //这一句产生问题,使用了BMP的大小给PNG分配内存
      po­Png­Image->New(u­Bitmap­Size);
      // Go to start of PNG image in CMem­Stm
      po­CMem­Stm->Seek(0, STREAM_­SEEK_­SET, NULL, &p­Position­Low);
      // Read PNG image in CMem­Stm to allocated memory.
      //这一句读入PNG的内容,导致溢出
      po­CMem­Stm->Read(po­Png­Image, *pu­Png­Image­Size, &u­Read­Size);
      // Save location of allocated memory with PNG image to output variable.
      *ppo­Png­Image = po­Png­Image;
    }

POC

只有用js实现图片复制的脚本,图片本身需要另外生成


这个洞因为没有完整的POC所以我没有调,但是其实作者在概述里已经说的很清楚了,这个洞的成因比较有意思放在这里开阔一下思路。
posted @ 2017-01-18 01:46  Ox9A82  阅读(459)  评论(0编辑  收藏  举报