This is a friendly warning that your web-browser does not currently protecting your privacy and/or security as well as you might want. Click on this message to see more information about the issue(s) that were detected. MSIE jscript9 Java­Script­Stack­Walker memory corruption

(MS15-056, CVE-2015-1730)

A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Exlorer 9. A pointer set up to point to certain data on the stack can be used after that data has been removed from the stack. This results in a stack-based analog to a heap use-after-free vulnerability. The stack memory where the data was stored can be modified by an attacker before it is used, allowing remote code execution.

⤷ read more
MS Edge CBase­Scriptable::Private­Query­Interface memory corruption

(MS16-068, CVE-2016-3222)

A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Edge. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.

⤷ read more
MSIE 9 CDoc::Execute­Script­Uri use-after-free

(MS13-009, CVE-2013-0019)

A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.

⤷ read more
MS Edge CMarkup::Ensure­Delete­CFState use-after-free

(MS15-125, CVE-2015-6168)

A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Edge. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.

⤷ read more
Opera foreign­Object text­Node::remove­Child use-after-free

(The fix and CVE number for this issue are unknown)

A specially crafted web-page can trigger a use-after-free vulnerability in Opera. This vulnerability was found a very long time ago, back when I did not keep organized records of my analysis, so unfortunately, I cannot speculate on the potential impact or exploitability.

⤷ read more
Google Chrome Accessibility blink::Node corruption

(The fix and CVE number for this issue are unknown)

A specially crafted web-page can trigger an unknown memory corruption vulnerability in Google Chrome Accessibility code. An attacker can cause code to attempt to execute a method of an object using a vftable, when the pointer to that object is not valid, or the object is not of the expected type. Successful exploitation can lead to arbitrary code execution.

⤷ read more
MSIE 8-11 MSHTML DOMImplementation type confusion

(MS16-009, CVE-2016-0063)

A specially crafted web-page can cause a type confusion vulnerability in Microsoft Internet Explorer 8 through to 11. An attacker can cause code to be executed with a stack layout it does not expect, or have code attempt to execute a method of an object using a vftable, when that object does not have a vftable. Successful exploitation can lead to arbitrary code execution.

⤷ read more
MSIE 10 MSHTML CEdit­Adorner::Detach use-after-free

(MS13-047, CVE-2013-3120)

A specially crafted web-page can cause Microsoft Internet Explorer 10 to continue to use an object after freeing the memory used to store the obejct. An attacker might be able to exploit this issue to execute arbitrary code.

⤷ read more
MSIE 11 MSHTML CGenerated­Content::Has­Generated­SVGMarker type confusion

(The fix and CVE number for this issue are unknown)

A specially crafted web-page can cause a type confusion in HTML layout in Microsoft Internet Explorer 11. An attacker might be able to exploit this issue to execute arbitrary code.

⤷ read more
Chrome blink Speech­Recognition­Controller use-after-free

(Chromium 455857, CVE-2015-1251)

A specially crafted web-page can cause the blink rendering engine used by Google Chrome and Chromium to continue to use a speech recognition API object after the memory block that contained the object has been freed. An attacker can force the code to read a pointer from the freed memory and use this to call a function, allowing arbitrary code execution.

⤷ read more
MSIE 8 MSHTML SRun­Pointer::Span­Qualifier/Run­Type OOB read

(MS15-009, CVE-2015-0050)

A specially crafted web-page can cause Microsoft Internet Explorer 8 to attempt to read data beyond the boundaries of a memory allocation. The issue does not appear to be easily exploitable.

⤷ read more
MSIE 8 MSHTML Ptls5::Ls­Find­Span­Visual­Boundaries memory corruption

(The fix and CVE number for this bug are unknown)

A specially crafted web-page can cause an unknown type of memory corruption in Microsoft Internet Explorer 8. This vulnerability can cause the Ptls5::Ls­Find­Span­Visual­Boundaries method (or other methods called by it) to access arbitrary memory.

⤷ read more
MS Edge CText­Extractor::Get­Block­Text OOB read

(MS16-104, CVE-2016-3247)

A specially crafted web-page can cause an integer underflow in Microsoft Edge. This causes CText­Extractor::Get­Block­Text to read data outside of the bounds of a memory block.

⤷ read more
Tetris heap spraying: spraying the heap on a budget

Over the past decade, heap sprays have become almost synonymous with exploits in web-browsers. After having developed my first practical implementation of a heap spray about ten years ago, I found that the amount of memory needed in some cases was too much for a realistic attack scenario. I needed a new kind of heap spray that did not allocate as much RAM as traditional heap sprays do. So, I developed a heap spray that uses significantly less RAM than a traditional heap spray does. In practice it uses about 33% less in most cases, but theoretically it could be much, mush less in ideal situations. This new technique requires only the ability to free some of the blocks of memory used to spray the heap during spraying and should otherwise be applicable to every existing implementation.

⤷ read more
MSIE 11 iertutil LCIEGet­Typed­Component­From­Thread use-after-free

(The fix and CVE number for this issue are unknown)

A specially crafted web-page can cause the iertutil.dll module of Microsoft Internet Explorer 11 to free some memory while it still holds a reference to this memory. The module can be made to use this reference after the memory has been freed. Unliky many use-after-free bugs in MSIE, this issue, and apparently all code in this module, is not mitigated by Mem­GC. This issue appears to have been addressed in July 2016, as it failed to reproduce after the July security updates were installed.

⤷ read more
MSIE 8 jscript Reg­Exp­Base::FBad­Header use-after-free

(MS15-018, CVE-2015-2482)

A specially crafted web-page can cause the Javascript engine of Microsoft Internet Explorer 8 to free memory used for a string. The code will keep a reference to the string and can be forced to reuse it when compiling a regular expression.

⤷ read more
MS Edge edgehtml CAttr­Array::Destroy use-after-free

(This fix and CVE number for this issue are not known)

A specially crafted web-page can cause Microsoft Edge to free memory used for a CAttr­Array object. The code continues to use the data in freed memory block immediately after freeing it. It does not appear that there is enough time between the free and reuse to exploit this issue.

⤷ read more
MSIE 11 MSHTML CMap­Element::Notify use-after-free

(MS15-009, CVE-2015-0040)

A specially crafted webpage can cause MSIE 11 to interrupt the handling of one readystatechange event with another. This causes a call to one of the various C<Element­Name>Element::Notify functions, at least one of which is non-reentrant. This can have various repercussions, e.g. when an attacker triggers this vulnerability using a CMap­Element object, a reference to that object can be stored in a linked list and the object itself can be freed. This pointer can later be re-used to cause a classic use-after-free issue.

⤷ read more
Google Chrome blink Serializer::do­Serialize bad cast

(This fix and CVE number for this issue are not known)

When serializing Java­Script objects for sending to another window using the post­Message method, the code in blink does not handle Symbol objects correctly and attempts to serialize this kind of object as a regular object, which results in a bad cast. An attacker that can trigger this issue may be able to execute arbitrary code.

⤷ read more
Windows Explorer thumbcache CThumbnail­Cache::_Get­Thumbnail­Internal misaligned free

(This issue is currently not fixed)

When handling long path names on network shares mapped to a drive, thumbcache.dll loaded in explorer.exe can be made to free a memory block with a pointer that does not actually point to the start of the memory block, but rather to the start plus a static offset. The offset is such that the pointer is no longer aligned correctly, which is detected by the heap manager. The heap manager then causes explorer.exe to terminate.

⤷ read more
WININET CHttp­Header­Parser::Parse­Status­Line out-of-bounds read

(MS16-104, MS16-105, CVE-2016-3325)

A specially crafted HTTP response can cause the CHttp­Header­Parser::Parse­Status­Line method in WININET to read data beyond the end of a buffer. The size of the read can be controlled through the HTTP response. An attacker that is able to get any application that uses WININET to make a request to a server under his/her control may be able to disclose information stored after this memory block. This includes Microsoft Internet Explorer, Microsoft Edge and Microsoft Windows Media Player. As far as I can tell WININET is widely used by Microsoft applications to handle HTTP requests, and probably be all third-party applications that use Windows APIs to make HTTP requests. All these applications may be vulnerable to the issue, though it may be hard to exploit in most (if not all, see below).

⤷ read more
MSIE 9-11 MSHTML PROPERTYDESC::Handle­Style­Component­Property out-of-bounds read

(MS16-104, CVE-2016-3324)

A specially crafted web-page can cause Microsoft Internet Explorer 9-11 to assume a CSS value stored as a string can only be "true" or "false". To determine which of these two values it is, the code checks if the fifth character is an 'e' or a '\0'. An attacker that is able to set it to a smaller string can cause the code to read data out-of-bounds and is able to determine if a WCHAR value stored behind that string is '\0' or not.

⤷ read more
VBScript Reg­Exp­Comp::Pnode­Parse out-of-bounds read

(The fix and CVE number for this bug are not known)

A specially crafted script can cause the VBScript engine to read data beyond a memory block for use as a regular expression. An attacker that is able to run such a script in any application that embeds the VBScript engine may be able to disclose information stored after this memory block. This includes all versions of Microsoft Internet Explorer.

⤷ read more
VBScript CReg­Exp::Execute use of uninitialized memory

(MS14-080 and MS14-084, CVE-2014-6363)

A specially crafted script can cause the VBScript engine to access data before initializing it. An attacker that is able to run such a script in any application that embeds the VBScript engine may be able to control execution flow and execute arbitrary code. This includes all versions of Microsoft Internet Explorer.

⤷ read more
MSIE 9 MSHTML CPts­Text­Paraclient::Count­Apes out-of-bounds read

(The fix and CVE number for this bug are not known)

A specially crafted web-page can cause Microsoft Internet Explorer 9 to access data before the start of a memory block. An attack that is able to control what is stored before this memory block may be able to disclose information from memory or execute arbitrary code.

⤷ read more
MSIE 10 MSHTML CElement::Get­Plain­Text­In­Scope out-of-bounds read

(The fix and CVE number for this bug are not known)

A specially crafted web-page can cause Microsoft Internet Explorer 10 to read data out-of-bounds. This issue was fixed before I was able to analyze it in detail, hence I did not determine exactly what the root cause was.

⤷ read more
MSIE 11 MSHTML CView::Calculate­Image­Immunity use-after-free

(The fix and CVE number for this bug are not known)

A specially crafted web-page can cause Microsoft Internet Explorer 11 to free a memory block that contains information about an image. The code continues to use the data in freed memory block immediately after freeing it. It does not appear that there is enough time between the free and reuse to exploit this issue.

⤷ read more
MSIE 9 MSHTML CAttr­Array use-after-free

(MS14-056, CVE-2014-4141)

A specially crafted web-page can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.

⤷ read more
Heap spraying high addresses in 32-bit Chrome/Firefox on 64-bit Windows

In my previous blog post I wrote about "magic values" that were originally chosen to help mitigate exploitation of memory corruption flaws and how this mitigation could potentially be bypassed on 64-bit Operating Systems, specifically Windows. In this blog post, I will explain how to create a heap spray (of sorts) that can be used to allocate memory in the relevant address space range and fill it with arbitrary data for use in exploiting such a vulnerability.

⤷ read more
Magic values in 32-bit processes and 64-bit OS-es

Software components such as memory managers often use magic values to mark memory as having a certain state. These magic values have often (but not always) been chosen to coincide with addresses that fall outside of the user-land address space on 32-bit versions of the Operating System. This ensures that if a vulnerability in the software allows an attacker to get the code to use such a value as a pointer, this results in an access violation. However, on 64-bit architectures the entire 32-bit address space can be used for user-land allocations, allowing an attacker to allocate memory at all the addresses commonly used as magic values and exploit such a vulnerability.

⤷ read more
MSIE 11 garbage collector attribute type confusion

(MS16-063, CVE-2016-0199)

With MS16-063 Microsoft has patched CVE-2016-0199: a memory corruption bug in the garbage collector of the Java­Script engine used in Internet Explorer 11. By exploiting this vulnerability, a website can causes this garbage collector to handle some data in memory as if it was an object, when in fact it contains data for another type of value, such as a string or number. The garbage collector code will use this data as a virtual function table (vftable) in order to make a virtual function call. An attacker has enough control over this data to allow execution of arbitrary code.

⤷ read more
Independence vs. cooperation

While working independently has many advantages, it does have one major drawback: no one to bounce ideas off or help you solve problems. So, in order to address this, I am now looking for opportunities to work closer with other researchers again.

⤷ read more
MS Edge CTree­Pos­Gap::Partition­Pointers use-after-free (Mem­GC)

A specially crafted Javascript inside an HTML page can trigger a use-after-free bug in the CTree­Pos­Gap::Partition­Pointers function of edgehtml.dll in Microsoft Edge. This use-after-free bug is mitigated by Mem­GC by default: with Mem­GC enabled the memory is never actually freed. This mitigation is considered sufficient to make this a non-security issue as explained by Microsoft SWIAT in their blog post Triaging the exploitability of IE/Edge crashes.

Since this is not considered a security issue, I have the opportunity to share details about the issue with you before the issue has been fixed. And since Microsoft are unlikely to provide a fix for this issue on short notice, you should be able to reproduce this issue for some time after publication of this post. I will try to explain how I analyzed this issue using Bug­Id and Edge­Dbg, so that you can reproduce what I did and see for yourself.

⤷ read more
MS Edge Tree::ANode::Is­In­Tree use-after-free (Mem­GC) & Abandonment

A specially crafted Javascript inside an HTML page can trigger a use-after-free bug in Tree::ANode::Is­In­Tree or a breakpoint in Abandonment::Induce­Abandonment in Microsoft Edge. The use-after-free bug is mitigated by Mem­GC: if Mem­GC is enabled (which it is by default) the memory is never freed. This effectively prevents exploitation of the issue. The Abandonment appears to be triggered by a stack exhaustion bug; the Javascript creates a loop where an event handler triggers a new event, which in turn triggers the event handler, etc.. This consumes a stack space until there is no more stack available. Edge does appear to be able to handle such a situation gracefully under certain conditions, but not all. It is easy to avoid those conditions to force triggering the Abandonment.

The interesting thing is that this indicates that the assumption that "hitting Abandonment means a bug is not a security issue" may not be correct in all cases.

⤷ read more
MSIE 10&11 Build­Animation NULL pointer dereference

A specially crafted style sheet inside an HTML page can trigger a NULL pointer dereference in Microsoft Internet Explorer 10 and 11. The pointer in question is assumed to point to a function, and the code attempts to use it to execute this function, which normally leads to an access violation when attempting to execute unmapped memory at address 0. In some cases, Control Flow Guard (CFG) will attempt to check if the address is a valid indirect call target. Because of the way CFG is implemented, this can lead to a read access violation in unmapped memory at a seemingly arbitrary address.

⤷ read more
MS Edge CDOMText­Node::get_­data type confusion

(MS16-002, CVE-2016-0003)

Specially crafted Javascript inside an HTML page can trigger a type confusion bug in Microsoft Edge that allows accessing a C++ object as if it was a BSTR string. This can result in information disclosure, such as allowing an attacker to determine the value of pointers to other objects and/or functions. This information can be used to bypass ASLR mitigations. It may also be possible to modify arbitrary memory and achieve remote code execution, but this was not investigated.

⤷ read more
© Copyright 2016 by Sky­Lined.
Creative Commons License This work is licensed under a Creative Commons Attribution-Non‑Commercial 4.0 International License.

Last updated on 2016-11-6.
If you find this web-site useful and would like to make a donation, you can send bitcoin to 183yyxa9s1s1f7JBp­PHPmz­Q346y91Rx5DX.