Skypher » Repro

Issue 32 – Oracle Java plugin2 non-exploitable memory corruption

SkyLined — Wed, 13 Oct 2010 12:10:15 +0000

About two years ago I found what appeared to be a memory corruption issue in SUN (now owned by Oracle) Java Version 6 Update 10. I failed to find any evidence that the issue allows remote code execution and after investigating, SUN/Oracle reported that it was not a security issue that required immediate patching.

Oracle have released a fix for this issue, which can be found here.

Details can be found here.

Issue 18 – Oracle Java APPLET tag children property memory corruption

SkyLined — Wed, 13 Oct 2010 12:04:17 +0000

About half a year ago, I found a memory corruption issue in Oracle Java Version 6 Update 20 which could be triggered by loading Java in MSIE through the “APPLET” tag and accessing the “children” property. It appears that the code suffers from some race condition that may be exploited to execute arbitrary code in the context of the user that the iexplore.exe process is running as.

Oracle have released a patch for this issue which can be found here.

More details can be found here.

Issue 23 – Oracle Java OBJECT tag “launchjnlp”/”docbase” property stack buffer overflow

SkyLined — Wed, 13 Oct 2010 09:34:09 +0000

About a month and a half ago, information about an 0-day vulnerability in the Apple QuickTime plugin was published. It reminded of a project I had planned to implement for a while (since 2004 to be precise): a fuzzer that extracted information about COM objects installed on a system from the registry and scanned the binaries associated with each COM object for strings. The fuzzer would use the collected information to try to instantiate objects and attempt to fuzz it using the strings as properties, methods and “magic” argument values. As soon as I had hacked something together, it found a simple buffer overflow in Oracle Java 6 Update 21.

The buffer overflow allows easy control over EIP and creating a working exploit for targets without DEP is as easy as copy+pasting a heap spray into the repro file.

I reported the issue to Oracle, who were already aware of the issue because it had also been reported to them by Stephen Fewer of Harmony Security through ZDI. Oracle has release a patch for this issue, which is available here.

More details can be found here.

Issue 21 – Microsoft Windows Media Player memory corruption using popups

SkyLined — Tue, 12 Oct 2010 21:02:55 +0000

About 4 months ago I finally tracked down a memory corruption issue that my fuzzers had been hitting on occasion. It appeared that the root cause was some kind of memory corruption or stale pointer related to a Windows Media Player plugin popup. The MSRC team reported that further investigation had revealed the the issue was slightly more complex than I had originally assumed and that the root cause of the issue might be triggered through other attack vectors that require less user-interaction. However, neither MSRC nor I was able to find any additional attack vectors.

Microsoft has release a fix for this issue here.

More details can be found here.

Issue 17 – Msxml2.XMLHTTP.3.0 response handling memory corruption

SkyLined — Tue, 10 Aug 2010 18:49:16 +0000

Warning: preg_split() [function.preg-split]: Compilation failed: lookbehind assertion is not fixed length at offset 14 in /home/c3682jgn/domains/skypher.com/public_html/wp-content/themes/braille/options/plugins.php on line 77

Warning: Invalid argument supplied for foreach() in /home/c3682jgn/domains/skypher.com/public_html/wp-content/themes/braille/options/plugins.php on line 78

MSIE 6,7, 8 & 9 insertAdjacentElement NULL ptr

SkyLined — Mon, 12 Apr 2010 12:03:10 +0000

MSIE 8,9 (X)HTML stack exhaustion

SkyLined — Mon, 12 Apr 2010 11:45:23 +0000

Many nested tags in MSIE can cause stack exhaustion, which can crash the tab and even the entire browser.

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

.... etc...

More details here: http://code.google.com/p/skylined/issues/detail?id=14.

MSIE 7 document.createElement(“HTML”).outerHTML NULL ptr

SkyLined — Mon, 12 Apr 2010 11:30:53 +0000

Microsoft Windows .ANI file BITMAPINFOHEADER.biClrUsed bounds check missing

SkyLined — Mon, 08 Mar 2010 09:45:20 +0000

Quoting http://msdn.microsoft.com/en-us/library/aa930622.aspx:
typedef struct tagBITMAPINFOHEADER { DWORD biSize; LONG biWidth; LONG biHeight; WORD biPlanes; WORD biBitCount DWORD biCompression; DWORD biSizeImage; LONG biXPelsPerMeter; LONG biYPelsPerMeter; DWORD biClrUsed; DWORD biClrImportant; } BITMAPINFOHEADER;
“If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and is referenced by a single pointer), the biClrUsed member must be either zero or the actual size of the color table.”

ANI files stores each frame of the animated cursor as a packed bitmap inside the ANI file. The DWORD biClrUsed member of the BITMAPINFOHEADER of each such bitmap can be used to cause the Windows API functions to allocate any number of bytes and attempt to copy a similarly large ammount of data from the file in memory to the newly allocated memory. The code does not check that such a large ammount of data is available and this can cause the copy operation to read beyong the bounds of the memory allocated for the ANI file. This problem affects Windows XP and Vista but not the newer Windows 7.

This can cause a read access violation if a small ANI file specifies a large value for biClrUsed: the memory copy operation runs beyond the memory allocated for the file data and into unallocated memory. MSIE is an example of an application that uses these Windows APIs to read ANI files, it is also the application that this problem was first detect in. However, there could be other applications that use these API functions.

In MSIE, this read AV is handled by an exception handler, so it does not cause the browser to crash. The read access violation is therefore only visible if a debugger is attached to MSIE. However, this problem can also be used to cause the application to allocate excessive amounts of memory and become unresponsive, using 100% CPU. For MSIE, this seems to affect the x86 version only and not the x64 version. I cannot explain, not have I investigated the exact cause of this difference between these two versions.

Microsoft has confirmed the issue and based on the impact has decided to fix this in Service Packs for the various versions of Windows affected. They cannot provide release estimates for these Service Packs at this time. If you maintain an application that depends on the Windows APIs to load ANI files, you may want to investigate how this issue affects your application and do additional checks on the contents of ANI files before calling vulnerable Windows API functions.

Full details, including case history and repro for this particular bug can be found here.

Microsoft Internet Explorer 6.0/7.0 NULL pointer crashes

SkyLined — Wed, 20 Jan 2010 10:55:37 +0000

Two crashes caused by NULL pointer dereferences have been discovered in MSIE 6.0/7.0. These issues do not affect MSIE 8.0.

document.createElement(“li”).value=3

document.createElement(“html”).outerHTML

I’ve recently started using Google Code for tracking bugs: an editted version of the history of this bug can be found here.