首页 » 安全分析 » 正文

new IE 0day coming – object use after free vulnerability

by binjo of code audit labs of vulnhunt.com

一个影响IE8及以上版本的0day被国外某网站所披露,它通过挂马方式,针对CFR(Council on Foreign Relations)网站的用户进行定向攻击。
我们在@eromang@yomuds的帮助下,并对其进行简单分析。我们发现其本质是对象释放后重用,引发内存崩溃,通过精心构造堆内存,攻击者可执行任意代码。

0:008> g
(ccc.d24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10ab0d0c ebx=0021e968 ecx=00000052 edx=00000000 esi=00000000 edi=00234568
eip=3dc66271 esp=016ad79c ebp=016ad80c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CMarkup::OnLoadStatusDone+0x504:
3dc66271 call    dword ptr [eax+0DCh]                 ds:0023:10ab0de8=????????
IE8在渲染页面时,生成mshtml!CButton对象实例,并把对象指针保存在CDoc对象中。
该mshtml!CButton对象在垃圾回收时被释放,而其在CDoc对象中的引用并没有释放。
0:017> ba w1 234568
0:017> g
Breakpoint 4 hit
eax=3db50d10 ebx=009ac4f8 ecx=00234568 edx=00000000 esi=00234568 edi=00000000
eip=3de94aef esp=016aa47c ebp=016aa480 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CButton::`vector deleting destructor'+0xe:
3de94aef mov     dword ptr [esi+28h],offset mshtml!CButton::`vftable' (3db582e0) ds:0023:00234590={mshtml!CButton::`vftable' (3db582e0)}
0:008> kb
ChildEBP RetAddr  Args to Child              
016aa480 3db80ad9 00000001 3db80abf 00000000 mshtml!CButton::`vector deleting destructor'+0xe
016aa488 3db80abf 00000000 00234568 016aa4ac mshtml!CBase::SubRelease+0x22
016aa498 3db5e76d 00234568 00000001 0019dae0 mshtml!CBase::PrivateRelease+0x3c
016aa4ac 3db5a976 00234568 0019dae0 016aa4d4 mshtml!CElement::PrivateRelease+0x29
016aa4bc 3db7709c 0019dae0 009a5278 00000001 mshtml!PlainRelease+0x25
016aa4d4 3e365194 0019dae0 00000001 3e364b8c mshtml!PlainTrackerRelease+0x14
016aa4e0 3e364b8c 009ab860 009a3ad8 00000000 jscript!VAR::Clear+0x5c
016aa508 3e3655b9 00000000 00000000 0015ab28 jscript!GcAlloc::ReclaimGarbage+0x91
016aa524 3e364d08 00000002 016aa598 00000000 jscript!GcContext::Reclaim+0xab
016aa538 3e364bfd 016aa598 009ad9e0 3e3f2dc8 jscript!GcContext::CollectCore+0x113
016aa54c 3e3d471d 016aa5a8 3e374327 009abd10 jscript!GcContext::Collect+0x51
016aa554 3e374327 009abd10 016aa5f8 016aa598 jscript!JsCollectGarbage+0x1d
016aa5bc 3e374aac 00000000 00000000 009acde0 jscript!NatFncObj::Call+0x103
016aa640 3e3728c5 009a45b8 009abd10 00000001 jscript!NameTbl::InvokeInternal+0x137
攻击者通过精心构造的堆布局数据,占用被释放的对象内存,后续window.location产生页面重新渲染时,引发对象重引用, 从而控制eip,执行任意代码。
0:008> bc 4
0:008> g

after calling mshtml!CElement::FindDefaultElem...
eax=00234568 ebx=0021e968 ecx=00000052 edx=00000000 esi=00000000 edi=0021e968
eip=3dac4229 esp=016ad7a0 ebp=016ad80c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mshtml!CMarkup::OnLoadStatusDone+0x4e1:
3dac4229 mov     edi,eax
0:008> du eax
00234568  "??https://www.google.com/setting"
002345a8  "s/account"
0:008> db eax
00234568  0c 0d ab 10 68 00 74 00-74 00 70 00 73 00 3a 00  ....h.t.t.p.s.:.
00234578  2f 00 2f 00 77 00 77 00-77 00 2e 00 67 00 6f 00  /./.w.w.w...g.o.
00234588  6f 00 67 00 6c 00 65 00-2e 00 63 00 6f 00 6d 00  o.g.l.e...c.o.m.
00234598  2f 00 73 00 65 00 74 00-74 00 69 00 6e 00 67 00  /.s.e.t.t.i.n.g.
002345a8  73 00 2f 00 61 00 63 00-63 00 6f 00 75 00 6e 00  s./.a.c.c.o.u.n.
002345b8  74 00 00 00 00 00 00 00-a8 0f a6 ea 00 01 0c ff  t...............
002345c8  30 0b 0c 0c 68 00 74 00-74 00 70 00 73 00 3a 00  0...h.t.t.p.s.:.
002345d8  2f 00 2f 00 77 00 77 00-77 00 2e 00 67 00 6f 00  /./.w.w.w...g.o.
0:008> g
(ccc.d24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10ab0d0c ebx=0021e968 ecx=00000052 edx=00000000 esi=00000000 edi=00234568
eip=3dc66271 esp=016ad79c ebp=016ad80c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
mshtml!CMarkup::OnLoadStatusDone+0x504:
3dc66271 call    dword ptr [eax+0DCh]                 ds:0023:10ab0de8=????????
部分攻击代码已可在internet中搜索得到,相信该0day很快将被大面积应用,用户请先使用google chrome、firefox等非IE浏览器,避免潜在的威胁。我们将持续关注该0day漏洞后续情况,敬请关注!

参考链接:
更新:
12/30:微软针对该漏洞已发布公告,并给出临时解决方案,正式补丁还未给出。