Skypher » Repro

MSIE 6,7, 8 & 9 insertAdjacentElement NULL ptr

SkyLined — Mon, 12 Apr 2010 12:03:10 +0000

img=new Image(); img.insertAdjacentElement("afterEnd",img);

More details here: http://code.google.com/p/skylined/issues/detail?id=15

MSIE 8,9 (X)HTML stack exhaustion

SkyLined — Mon, 12 Apr 2010 11:45:23 +0000

Many nested tags in MSIE can cause stack exhaustion, which can crash the tab and even the entire browser.

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

.... etc...

More details here: http://code.google.com/p/skylined/issues/detail?id=14.

Microsoft Windows .ANI file BITMAPINFOHEADER.biClrUsed bounds check missing

SkyLined — Mon, 08 Mar 2010 09:45:20 +0000

Quoting http://msdn.microsoft.com/en-us/library/aa930622.aspx:
typedef struct tagBITMAPINFOHEADER { DWORD biSize; LONG biWidth; LONG biHeight; WORD biPlanes; WORD biBitCount DWORD biCompression; DWORD biSizeImage; LONG biXPelsPerMeter; LONG biYPelsPerMeter; DWORD biClrUsed; DWORD biClrImportant; } BITMAPINFOHEADER;
“If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and is referenced by a single pointer), the biClrUsed member must be either zero or the actual size of the color table.”

ANI files stores each frame of the animated cursor as a packed bitmap inside the ANI file. The DWORD biClrUsed member of the BITMAPINFOHEADER of each such bitmap can be used to cause the Windows API functions to allocate any number of bytes and attempt to copy a similarly large ammount of data from the file in memory to the newly allocated memory. The code does not check that such a large ammount of data is available and this can cause the copy operation to read beyong the bounds of the memory allocated for the ANI file. This problem affects Windows XP and Vista but not the newer Windows 7.

This can cause a read access violation if a small ANI file specifies a large value for biClrUsed: the memory copy operation runs beyond the memory allocated for the file data and into unallocated memory. MSIE is an example of an application that uses these Windows APIs to read ANI files, it is also the application that this problem was first detect in. However, there could be other applications that use these API functions.

In MSIE, this read AV is handled by an exception handler, so it does not cause the browser to crash. The read access violation is therefore only visible if a debugger is attached to MSIE. However, this problem can also be used to cause the application to allocate excessive amounts of memory and become unresponsive, using 100% CPU. For MSIE, this seems to affect the x86 version only and not the x64 version. I cannot explain, not have I investigated the exact cause of this difference between these two versions.

Microsoft has confirmed the issue and based on the impact has decided to fix this in Service Packs for the various versions of Windows affected. They cannot provide release estimates for these Service Packs at this time. If you maintain an application that depends on the Windows APIs to load ANI files, you may want to investigate how this issue affects your application and do additional checks on the contents of ANI files before calling vulnerable Windows API functions.

Full details, including case history and repro for this particular bug can be found here.

Microsoft Internet Explorer 6.0/7.0 NULL pointer crashes

SkyLined — Wed, 20 Jan 2010 10:55:37 +0000

Two crashes caused by NULL pointer dereferences have been discovered in MSIE 6.0/7.0. These issues do not affect MSIE 8.0.

document.createElement(“li”).value=3

document.createElement(“html”).outerHTML

I’ve recently started using Google Code for tracking bugs: an editted version of the history of this bug can be found here.

Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox

SkyLined — Tue, 13 Oct 2009 19:46:52 +0000

(a.k.a. CVE-2009-2983)

Adobe fixed a bug in various COM objects. Loading and unloading these objects in a webpage in Firefox allows memory corruption, which can be exploited to execute arbitrary code. Here are a number of repro cases for various MIME types:

application/pdf
application/vnd.adobe.xdp+xml
application/vnd.adobe.xfd+xml
application/vnd.adobe.xfdf
application/vnd.fdf

PS. Adobe mentions that “arbitrary code execution has not been demonstrated” without explaining how this is relevant, let me know if you know!

MSIE Content-Encoding: deflate memory corruption vulnerability

SkyLined — Tue, 13 Oct 2009 18:29:55 +0000

(a.k.a. MSRC 8769, MS09-054, CVE-2009-1547, “Data Stream Header Corruption Vulnerability”)

Microsoft fixed a bug in Internet Explorer’s “Content-Encoding:deflate” implementation. Here are two HTTP replies that trigger the bug:

HTTP/.\nContent-Encoding:deflate\r\t\n\r\n\x20\x20
HTTP \nContent-Encoding:deflate\nContent-Range:\n\n”

The bug allows memory corruption, which can be exploited to execute arbitrary code. The big surprise (to me at least) is that nobody seems to have found this before even though it’s fairly easy to trigger.