A specially crafted style sheet inside an HTML page can trigger a NULL pointer dereference in Microsoft Internet Explorer 10 and 11. The pointer in question is assumed to point to a function, and the code attempts to use it to execute this function, which normally leads to an access violation when attempting to execute unmapped memory at address 0. In some cases, Control Flow Guard (CFG) will attempt to check if the address is a valid indirect call target. Because of the way CFG is implemented, this can lead to a read access violation in unmapped memory at a seemingly arbitrary address.
Microsoft Internet Explorer 10 and 11
An attacker would need to get a target user to open a specially crafted web-page.
This is an non-exploitable NULL pointer dereference bug but it is different from
most because it can cause a read access violation at a non-NULL address in the
ntdll.. To understand why this happens, one will first need
to understand a little bit about how CFG works. If you are not familiar with
the internals of CFG, I suggest you read the CFG blog post by TrendMicro
before you continue.
When CFG checks are in place for an indirect call, the CFG code will try to
look up if the call address is valid in a bitmap. This is done by converting the
address into an offset in the bitmap. In order to reduce memory usage, memory
is allocated only for relevant parts of the bitmap. e.
Ever since I originally analyzed and tweeted about this issue back in August 2015, as part of what would later become the #DailyBug series. I have wanted to release more details about it in case others ran into similar issues. But I did not consider this high priority until recently, when my ex-colleagues at Google Project Zero found the exact same issue and reported it to Microsoft as a potential security issue. Microsoft of course concluded that it was not a security issue after which Google disclosed details.
I hope this article helps explain why this is not a security issue as well as help others detect when a bug is triggering similar read access violations in CFG and see them for what they are: non-security NULL pointer dereference bugs.
This issue has been known to trigger crashes with the following BugIds for me:
Below are two BugId reports. The first was created by triggering the
BuildAnimation issue in Microsoft Internet Explorer 11, which has CFG
enabled. As you can see in this report the exception happened in the
ntdll. function, but BugId knows that this
function is not the root cause and has ignored it when determining which
function calls on the stack are relevant to the bug. The end result is that
a read access violation is reported at an "arbitrary" address.
The second report was created by triggering the same issue in Internet Explorer 10, which does not have CFG enabled. In this case an access violation while attempting to execute memory at address 0 is reported.
I have considered adding code to BugId that will detect this situation and
report it as a special case of a NULL pointer access violation (
but I suspect that this will be very fragile. Since I have not encountered any
other instances of this issue so far, I don't believe if is worth the effort.
|Description:||Access violation while reading memory at 0x7DF5FFC60000|
|Security impact:||Potentially exploitable security issue|
|Description:||Access violation while executing memory at 0x0 using a NULL ptr|