MS15-1 0 6 JavaScript ArrayBuffer. slice any address read-vulnerability analysis-vulnerability warning-the black bar safety net

2016-06-20T00:00:00
ID MYHACK58:62201676108
Type myhack58
Reporter 佚名
Modified 2016-06-20T00:00:00

Description

2 0 1 5 year 8 month 1 3 day, Microsoft released the Update Patch security bulletin MS15-1 0 6, which contains the About Internet Explorer multiple vulnerabilities. Before, we have explained how to attack the VBScript engine inside the Filter function in the presence of type confusion vulnerabilities and how to exploit this vulnerability to hijack the IE code execution process. No matter what, we all need to bypass the ASLR protection in order to have a vulnerability in the browser to execute arbitrary code, with the front a loophole over the off ASLR is very difficult. Then, we look at how to attack another of the same disclosed in the MS15-1 0 6 vulnerabilities, as well as how off the address randomization. We are now coming to the discussion is the ZDI to the advisory ZDI-1 5-5 1 8 description of vulnerability: the JavaScript ArrayBuffer. slice Information Disclosure Vulnerability (CVE-2 0 1 5-6 0 5 3)。 References ZDI description: The specific flaw exists within the implementation of the ArrayBuffer. the slice method. By supplying specially crafted parameters, an attacker can read the contents of arbitrary memory locations. An attacker can use this information in conjunction with other vulnerabilities to execute code in the context of the process. 0x01 binary comparison The ratio of the sample is jscript9.dll 5.8.9600.18036(vulnerability version and jscript9.dll 5.8.9600.18052(fix version, and the previous article, the test platform is 6 4-bit windows8. 1 and IE11. ZDI description mentioned in the question appear in the JavaScript ArrayBuffer. the slice method, by comparing two different versions of the DLL file, you can determine the function Js::ArrayBuffer::EntrySlice()patch. ! MSDN about ArrayBuffer. slice description: ! This function processes substantially the preview contrast is as follows: ! Enter the function Js::ArrayBuffer::EntrySlice()detailed look, and note the red box inside the code: ! The right of the red box inside, added Js::ArrayBuffer::EntrySlice()function check: the patch after the version check. ArrayBuffer structure body offset 0x10 bytes of the content, if this is not 0, then throw a TypeError exception. But...ArrayBuffer structure body offset 0x10-byte members? Observe the following Js::ArrayBuffer class, at initialization time offset 0x10 of the position is set to 0, Then the function Js::ArrayBuffer::CreateNeuteredState()will offset 0x10 here the value is set to its parameters: ! (Translator: CreateNeuteredState()this function name inside of the Neutered is neutered, sterilization mean) So, this offset 0x10, the contents of the field marks the ArrayBuffer is to be ligated, that is, if a ligation of ArrayBuffe call the slice()method, then it will throw a TypeError exception. To know the patches meaning, I immediately thought of this bug and before Pwn2Own2014 attack on the FireFox method is somewhat similar to: https://bugzilla.mozilla.org/show_bug.cgi?id=982974 0x02 ligation ArrayBuffer So, what exactly is the ligation of the ArrayBuffer to? Just like the described here,"when one ArrayBuffer object is passed to another thread when the original thread in the ArrayBuffer object will be ligated to--the original object length field is set to 0; its members where the memory is separate to your relationship is to the purpose of the thread; the purpose of the thread will create a new ArrayBuffer object, this object contains the passed over of the original members of the object where the memory, so that the original members of the Object content does not need to be copied." In other words, when an ArrayBuffer object to be ligated, its length becomes 0, the object point to the members of the memory pointer is set to NULL. Want to ligation of an ArrayBuffer object, can bring him from the Web Worker to pass out. The next question is: how can the ArrayBuffer from the Web Worker passing out? Quoted in http://www. html5rocks. com/en/tutorials/webgl/typed_arrays/: Transferable objects in postMessage make passing binary data to other windows and Web-Workers a great deal faster. When you send an object to a Worker as a Transferable, the object becomes inaccessible in the sending thread and the receiving Worker gets ownership of the object. This allows for a highly optimized implementation where the sent data is not copied, just the ownership of the Typed Array is transferred to the receiver. To use Transferable objects with Web Workers, you need to use the webkitPostMessage method on the worker. The webkitPostMessage method works just like postMessage, but it takes two arguments instead of just one. The added second argument is an array of objects you wish to transfer to the worker. worker. webkitPostMessage(oneGBTypedArray, [oneGBTypedArray]); Currently, we found, create an ArrayBuffer object, and then through the postMessage()is passed to the Web Worker, in this case, the ArrayBuffer is ligation(length becomes 0, the data pointer is set to null). But, the vulnerability? IE do it and FireFox the same thing when running ArrayBuffer. the slice()method, code the logic to save the ArrayBuffer in the current effective byteLength: a ! When the ArrayBuffer. the slice()method the parameter is not primitive type, it will call the current passed in object's member function valueOf () it. This process occurs in Js::ArrayBuffer::GetIndexFromVar()function inside.

[1] [2] [3] [4] next