Twenty Year Anniversary

Microsoft Internet Explorer MSHTML DOMImplementation Type Confusion

Microsoft Internet Explorer MSHTML DOMImplementation Type Confusion
Posted Nov 28, 2016
Authored by SkyLined

A specially crafted web-page can cause a type confusion vulnerability in Microsoft Internet Explorer 8 through to 11. An attacker can cause code to be executed with a stack layout it does not expect, or have code attempt to execute a method of an object using a vftable, when that object does not have a vftable. Successful exploitation can lead to arbitrary code execution.

tags | exploit, web, arbitrary, code execution
advisories | CVE-2016-0063
MD5 | a39c2c649d0580dbcfd87e206179520a

Microsoft Internet Explorer MSHTML DOMImplementation Type Confusion

Change Mirror Download
Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
twentieth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161128001.html. There you can find a repro
that triggered this issue in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 8-11 MSHTML DOMImplementation type confusion
=================================================
(MS16-009, CVE-2016-0063)

Synopsis
--------
A specially crafted web-page can cause a type confusion vulnerability in
Microsoft Internet Explorer 8 through to 11. An attacker can cause code
to be executed with a stack layout it does not expect, or have code
attempt to execute a method of an object using a vftable, when that
object does not have a vftable. Successful exploitation can lead to
arbitrary code execution.

Known affected software and attack vectors
------------------------------------------
+ Microsoft Internet Explorer 8, 9, 10 and 11

An attacker would need to get a target user to open a specially
crafted web-page. Disabling Javascript should prevent an attacker
from triggering the vulnerable code path.


Description
-----------
I identified two attack vectors to this vulnerability. One of them is
that Javascript can make a copy of the `hasFeature` method of a
`DOMImplementation` object in one window and use it as a method of
another object in another window. Doing so can cause at least two issues
in the `MSHTML!Method_VARIANTBOOLp_BSTR_o0oVARIANT` function of MSIE:
* A FailFast exception when the code detects that calling a method of
an object has not cleaned up the stack as expected; this is because
the called function appears to expect a different number of arguments
or a different calling convention. This issue can be triggered by
changing the line `o.x();` in the repro to `o.x(new Array)`.
* An out-of-bounds write when `MSHTML!CBase::PrivateGetDispID` is
called; this is probably caused by a type confusion bug: the code
expects a `VARIANT` object of one type, but is working on an object
of a different type.

Exploitation of this attack vector was not attempted. I reversed
`Method_VARIANTBOOLp_BSTR_o0oVARIANT` only sufficiently to get an idea
of the root cause, but not enough to determine exactly what is going on
or how to control the issue for command execution.

Another attack vector is calling the `isPrototypeOf` method of the
`DOMImplementation` interface as a function: this results in type
confusion where a C++ object is assumed to implement `IUnknown` when in
fact it does not. The code attempts to call the `IUnknown::Release`
method, expecting a vftable to be stored at offset 0, but since the
object has no vftables, a member property is stored at this offset,
which appears to have a static value `002dc6c0`. An attacker that is
able to control this value, or allocate memory and store data at that
address, may be able to execute arbitrary code.

No attempts were made to further reverse the code and determine the
exact root cause. A few attempts were made to control the value at
offset 0 of the object in question, as well as get another object in its
place with a different value at this location, but both efforts were
brief and unsuccessful.

Time-line
---------
* September 2015: This vulnerability was found through fuzzing.
* October 2015: This vulnerability was submitted to ZDI.
* November 2015: This vulnerability was acquired by ZDI.
* February 2016: This issue was addressed by Microsoft in MS16-009.
* November 2016: Details of this issue are released.

Cheers,

SkyLined


1 Repro.svg

<script xmlns="http://www.w3.org/2000/svg">
window.exploit = function(w) {
o={x:w.DOMImplementation(0).prototype.hasAFeature};
o.x();
};
open("1 Target.html");
</script>

1 Target.html

<script>
opener.exploit(window);
</script>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    2 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close