Www.edup.tudelft.nl/~bjwever/advisory msie R6025.html.php

From Skypher

Jump to: navigation, search
← Back to www.edup.tudelft.nl/~bjwever/
Warning
This information is copied from my old webpage @ http://www.edup.tudelft.nl/~bjwever. Some or all of it may be outdated and incorrect. The only thing close to any guarantee that I can give about the contents of this page is that is very likely to be chuck-full of spelling errors.

Microsoft Internet Explorer DHTML Object handling vulnerabilities (MS05-20)

Contents

Background

Microsoft Internet Explorer is the set of core Web browsing technologies. It provides a flexible and reliable browsing experience with enhanced Web privacy features for all Windows users. Dynamic HTML (DHTML) is built on an object model that extends the traditional static HTML document which enables Web authors to create more engaging and interactive Web pages. DHTML provides authors with enhanced creative control so they can manipulate any page element at any time. DHTML is also the easiest way to make Web pages interactive, using open, standards-based technologies.

http://www.microsoft.com/windows/ie

http://msdn.microsoft.com/workshop/author/dhtml/dhtml_node_entry.asp

Vulnerabilities

MSIE supports dynamic creation of HTML elements with JavaScript using various DHTML methods such as createElement, appendChild, removeNode, etc... A number of problems have been found in implementation of these objects and methods:

NULL-pointer crashes

Specially crafted calls to DHTML methods will crash MSIE: the program tries to read data from NULL-Pointers, resulting in a read exception. The following JavaScript code snippets will demonstrate the problems by crashing MSIE with NULL-pointer exceptions in mshtml.dll:

try { window.open().document.appendChild(document); } catch(e) {}
a = document.createTextNode();
try { window.open().document.appendChild(a); } catch(e) { }
document.removeChild(a);
window.open().child.document.appendChild(document.all[0];);

The last piece of code will not cause a NULL-pointer exception untill both MSIE windows are closed.

R6025: Pure virtual function call error

Specially crafted calls to DHTML methods will cause MSIE to terminate with a "R6025: Pure virtual function call" error message. The following code snipped will demonstrate the problem by terminating MSIE with a "R6025:Pure virtual function call" error:

child = window.open();
while (1) try {
    child.document.appendChild(document.all[0]);
} catch(e) {}

A description of the R6025 Run-Time Error can be found on the Microsoft support website, quoting from this page:

"Calling a pure virtual function is a programming error, so you need to find the call to the pure virtual function and rewrite the code so it is not called."

There are a lot of ways to cause an R6025 error in MSIE using methods like createElement, appendChild and removeNode.

Object handling race-condition

MSIE's object handling code has not been coded thread-save, creating situations where one thread reads data that has either been overwritten by another thread or has not yet been initialised by another thread. This can lead to random crashes and remote command execution. The following code snipped will demonstrate the problem by crashing MSIE with a read-exception in mshtml.dll:

child = window.open();
while(1) try {
    child.document.appendChild(document.createElement());
} catch (e) { }

The vulnerable code will use a pointer to read the address of a function from a structure in memory. Either this pointer has not yet been initialised by the other thread, which leads to the code using the value that was previously at that memory location, or the pointer has been overwritten by another thread before it is read, which leads to the code using the value that it is overwritten with.

635C5994    MOV     EAX, DWORD PTR [ESP+4] ; EAX(ESP+4) -> struct X
635C5998    MOV     EAX, DWORD PTR [EAX]   ; EAX(X.dword1) -> struct Y
635C599A    JMP     NEAR DWORD PTR [EAX+8] ; jump to Y.dword3

In the above example, X.dword1 does not contain the right information, which will cause the JMP to either crash when reading [EAX+8] or jump to a "random" location. The value is "random" because the Operating System devides processor time between the threads and we do not control this mechanism. So we cannot control when the different threads write or read this memory. The value is however taken from a certain memory area used by mshtml, so we can try to change the odds of MSIE reading an attack-supplied value by filling this memory using certain DHTML methods. This will allow an attacker to take control of the execution path. More details can be found in the source code of the exploit. The severity of this problem is high, since it allows remote command execution. A migitating factor is the "randomness" of the race-condition; it seem not to allow a 100% success rate for exploitation.

Affected versions

Tested versions:

  • MSIE 6 SP1 running on Windows 2000 SP4 (both fully patched)
  • MSIE 6 xpsp running on Windows XP SP2 (both fully patched)

Assumed affected:

  • MSIE has been supporting the vulnerable DHTML methods since version 4.0, all versions are assumed affected in one way or another.

Exploit

exploits/InternetExploiter2.zip contains InternetExploiter2.html, the actual exploit.When you open this .html file in MSIE, it will try to exploit the vulnerability to bind a shell to port 28876.

The .html file contains JavaScript code that creates a large amount of heap-blocks filled with 0x0D bytes. These form large nopslides, which are followed by shellcode. The code creates these heap-blocks in such a way that [0x0D0D0D0D] == 0x0D0D0D0D. The code then tries to exploit the vulnerability so MSIE executes a jmp [0x0D0D0D0D].This will land inside a nopslide and slide on down to the shellcode.

The shellcode is encoded into a unicode string using my own Beta shellcode encoder.

Patch

Timeline

2004-08-24 Vulnerabilities discovered.
2004-10-20 Information sold to iDefense.
2004-10-25 Initial notification to Microsoft by iDefense.
2004-10-25 Initial response by Microsoft.
2005-04-12 Coordinated public disclosure.
2005-04-12 Advisory and exploit released.

Links

Personal tools