Rising anti-virus researcher leaves ultra
Internet Explorer CFunctionPointer function does not correctly handle a document object, if in a specific sequence attach and delete object, you can trigger the memory destruction. An attacker can construct a special sequence of code to trigger this memory corruption, while the use of carefully constructed buffer zone, leading to the currently logged on user permission to execute arbitrary code.
The weakness actually exists in the mshtml. dll. CFunctionPointer object in its constructor did not correctly reference the document object, the label object or other, led to the document object may be in a CFunctionPointer object before the release is released, and the CFunctionPointer will continue to use this has been the destruction of the document object.
This is CFunctionPointer the constructor: public: __thiscall CFunctionPointer::CFunctionPointer(class CBase *, long) . text:775E7BE9 mov edi, edi . text:775E7BEB push ebp . text:775E7BEC mov ebp, esp . text:775E7BEE push esi . text:775E7BEF mov esi, ecx . text:775E7BF1 call ?? 0CBase@@QAE@XZ ; CBase::CBase(void) . text:775E7BF6 mov ecx, [ebp+pOwner] . text:775E7BF9 test ecx, ecx . text:775E7BFB mov eax, [ebp+pISecurityContext] . text:775E7BFE mov dword ptr [esi], offset ?? _7CFunctionPointer@@6B@ ; const CFunctionPointer::`the vftable' . text:775E7C04 mov [esi+10h], ecx // set the associated document object
In the settings of the document object, CFunctionPointer of the constructor simply assigns it to[edi+10h], and not its reference(AddRef)。
And in CFunctionPointer other functions almost all of the associated document object pointer, such as implementing the IUnknown::AddRef the CFunctionPointer::PrivateAddRef,implementing IUnknown::Release CFunctionPointer::PrivateRelease it.
This is CFunctionPointer::PrivateAddRef function: virtual unsigned long CFunctionPointer::PrivateAddRef(void) . text:775E7A21 arg_0 = dword ptr 8 . text:775E7A21 mov edi, edi . text:775E7A23 push ebp . text:775E7A24 mov ebp, esp . text:775E7A26 push esi . text:775E7A27 mov esi, [ebp+arg_0] ; this . text:775E7A2A mov eax, [esi+10h] ;get document object pointer . text:775E7A2D test eax, eax . text:775E7A2F jz short loc_775E7A3D . text:775E7A31 cmp dword ptr [esi+4], 0 . text:775E7A35 jz short loc_775E7A3D . text:775E7A37 mov ecx, [eax] ;take the first DWORD,i.e., the virtual table pointer . text:775E7A39 push eax . text:775E7A3A call dword ptr [ecx+4] ;calls the+4 position of the given function,i.e. AddRef
For example, in CFunctionPointer::PrivateAddRef, if the document object has been destroyed, you will get unpredictable virtual table pointer, then perform a call dword ptr [ecx+4], will jump to an unpredictable address to the Executive, in the General case cause IE to crash.
The attacker may be in a particular step, make a CFunctionPointer object's associated document object in CFunctio nPointer object before the release is released, and then reference the CFunctionPointer object, resulting in has been the release of the document object is re-used.
And the attacker and can in a special way, arbitrarily set to be released the document object where the original memory location of the data can be configured incorrectly the virtual tables, leading to the weakness was expanded to can be exploited to execute arbitrary code.