Home / vulnerabilitiesPDF  

Microsoft Internet Explorer 8 Use-After-Free

Posted on 28 March 2015
Source : packetstormsecurity.org Link

 

​TL;DR: Full disclosure of low risk 0-day in MSIE 8 after 60-day deadline
passed
without a fix.

1501H - MSIE 8 - F12 Developer Tools tooltips use-after-free
=====================================

Synopsis
--------
When using the Developer Tools of MSIE 8, one might hover the mouse over a
button in the "Script" tab, at which point a "tooltip" is shown. If one then
clicks the button, a use-after-free occurs.

Known affected software and attack vectors
------------------------------------------
+ MSIE 8

An attacker would need to get a target user to open a specially crafted
webpage. The attacker would then need to trick the target user into
hovering
the mouse over a button until the tooltip is shown and then click the
button.

Description
-----------
Open a new tab, and then open the Developer Tools by pressing F12, or
selecting it from the "Tools" menu. Then select the "Scripts" tab in the
Developer Tools window. Next hover the mouse over one of the buttons with
the
text "Start Debugging", "Run Script" and "Multi Line Mode"/"Single Line
Mode".
When a tooltip is shown, click the button. Here's what happens next with
paged
heap enabled:

(4dc.814): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b507fd0 ebx=00000200 ecx=06a48ea0 edx=00000001 esi=06a48ea0
edi=09a21fd0
eip=7427c0d6 esp=0b40f98c ebp=0b40f98c iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010202
comctl32!CToolTipsMgr::PopBubble+0xc:
7427c0d6 8b400c mov eax,dword ptr [eax+0Ch]
ds:0023:0b507fdc=????????

1:019> kP
ChildEBP RetAddr
0b40f98c 7427aa85 comctl32!CToolTipsMgr::PopBubble+0xc
0b40f9b4 741fc26a comctl32!CToolTipsMgr::HandleRelayedMessage+0x117
0b40faec 741fbf57 comctl32!CToolTipsMgr::ToolTipsWndProc+0x944
0b40fb18 7651c4e7 comctl32!CToolTipsMgr::s_ToolTipsWndProc+0x32
0b40fb44 7651c5e7 USER32!InternalCallWinProc+0x23
0b40fbbc 76515294 USER32!UserCallWinProcCheckWow+0x14b
0b40fbfc 76515582 USER32!SendMessageWorker+0x4d0
0b40fc1c 741fc235 USER32!SendMessageW+0x7c
0b40fc58 741f42aa comctl32!RelayToToolTips+0x49
0b40fc78 741ff5ee comctl32!TTSubclassProc+0x33
0b40fcdc 741ff490 comctl32!CallNextSubclassProc+0x3d
0b40fd3c 7651c4e7 comctl32!MasterSubclassProc+0x54
0b40fd68 7651c5e7 USER32!InternalCallWinProc+0x23
0b40fde0 7651cc19 USER32!UserCallWinProcCheckWow+0x14b
0b40fe40 7651cc70 USER32!DispatchMessageWorker+0x35e
0b40fe50 6e8e98ef USER32!DispatchMessageW+0xf
WARNING: Stack unwind information not available. Following frames may be
wrong.
0b40fe84 6e8ee3fb iedvtool+0x598ef
0b40fe9c 76ceee1c iedvtool+0x5e3fb
0b40fea8 770c37eb kernel32!BaseThreadInitThunk+0xe
0b40fee8 770c37be ntdll!__RtlUserThreadStart+0x70
0b40ff00 00000000 ntdll!_RtlUserThreadStart+0x1b

1:019> !heap -p -a @eax
address 0b507fd0 found in
_DPH_HEAP_ROOT @ 161000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr
VirtSize)
b5119f4: b507000
2000
6fb3947d verifier!AVrfDebugPageHeapReAllocate+0x0000036d
7712620b ntdll!RtlDebugReAllocateHeap+0x00000033
770ee4f0 ntdll!RtlReAllocateHeap+0x00000054
741f27fe comctl32!CToolTipsMgr::AddTool+0x00000031
741f28ca comctl32!CToolTipsMgr::ToolTipsWndProc+0x000009a4
741fbf57 comctl32!CToolTipsMgr::s_ToolTipsWndProc+0x00000032
7651c4e7 USER32!InternalCallWinProc+0x00000023
7651c5e7 USER32!UserCallWinProcCheckWow+0x0000014b
76515294 USER32!SendMessageWorker+0x000004d0
76515582 USER32!SendMessageW+0x0000007c
69cc8c71 jsdbgui+0x00028c71
69cc8fa2 jsdbgui+0x00028fa2
69cc903b jsdbgui+0x0002903b
69cca6e2 jsdbgui+0x0002a6e2
69cc5513 jsdbgui+0x00025513
7651c4e7 USER32!InternalCallWinProc+0x00000023
76535b7c USER32!UserCallDlgProcCheckWow+0x00000132
765359f3 USER32!DefDlgProcWorker+0x000000a8
7653a60e USER32!SendMessageWorker+0x00000340
76515582 USER32!SendMessageW+0x0000007c
741fc05d comctl32!CCSendNotify+0x000003e3
741f364c comctl32!SendNotifyEx+0x00000063
7427a9f4 comctl32!CToolTipsMgr::PopBubble+0x000000a3
7427c016 comctl32!CToolTipsMgr::PopBubble+0x0000001c
7427b50b comctl32!CToolTipsMgr::ShowVirtualBubble+0x00000010
741fc26a comctl32!CToolTipsMgr::ToolTipsWndProc+0x00000944
741fbf57 comctl32!CToolTipsMgr::s_ToolTipsWndProc+0x00000032
7651c4e7 USER32!InternalCallWinProc+0x00000023
7651c5e7 USER32!UserCallWinProcCheckWow+0x0000014b
76515294 USER32!SendMessageWorker+0x000004d0
76515582 USER32!SendMessageW+0x0000007c
741fc235 comctl32!RelayToToolTips+0x00000049

Exploit
-------
Because the attacker vector appears highly unlikely to represent a risk to
any
user, I did not bother to do an in-depth investigation. However, the
use-after-
free occurs in the same process in which the web-page is rendered. This
suggests
that there may be a way for the web-page to reallocate the freed memory
before
its reuse and potentially exploit this issue. However, it appears that the
free
and re-use occur in a very short time span, which would make that rather
hard if
not impossible.

Notes
-----
I allow vendors 60 days to fix an issue, unless they can provide an adequate
reason for extending this deadline. Failure to meet a deadline without an
adequate explanation will normally result in public disclosure of
information
regarding the vulnerability to the general public.

Timeline
--------
23 January 2015: vulnerability discovered and reported to MSRC by email.
23 January 2015: email from MSRC acknowledges receipt of report.
25 March 2015: email to MSRC to notify them that deadline has been exceeded.
25 March 2015: Full disclosure of vulnerability details.

 

TOP