lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0273B67044957C41BD71D12EBA2E00AE08C62E@becca.LarrySeltzer.local>
Date: Thu, 4 Jan 2007 17:36:43 -0500
From: Larry Seltzer <Larry@...ryseltzer.com>
To: Michal Zalewski <lcamtuf@...ne.ids.pl>, bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)

I hope you're still not angry! 

I just tried your demo on IE7. It took a while longer but does seem to
have locked up. Were you looking at IE6 or IE7, and is the behavior any
different?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer@...fdavis.com 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Michal
Zalewski
Sent: Thursday, January 04, 2007 5:22 PM
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Concurrency strikes MSIE (potentially
exploitablemsxml3 flaws)

A while ago, apparently angry with Larry Seltzer, I penned a quick
write-up on the possible issues with race conditions triggered by
asynchronous browser events (such as JavaScript timers) colliding with
synchronous content rendering:

  http://seclists.org/vulnwatch/2006/q3/0023.html

This is in principle similar to signal handling bugs. I gave an example
of a seemingly exploitable flaw in Firefox (see MFSA2006-59 report for
more details), but did mention that other browsers are unlikely to be
immune.

Today, inspired by Brian Krebs' report on MSIE's stellar track of
security response that we all owe to responsible disclosure, I thought
it would be a brilliant idea to test MSIE for the same class of problems
(they had half a year to take notice of my original rant).

Hey, and - no peeking! - guess what happened?

A quick demonstration of how MSIE succumbs to such problems would be to
prepare an XML file that contains a bunch of nested tags (10-1000 is
fine), then display it in IFRAME, repeatedly disrupting the rendering
process with a Javascript timer that forces the frame to be reloaded
every 50-100 miliseconds or so.

After just a couple reloads, MSIE will freeze, then crash in a random
manner in the vicinity of msxml3 module. I observed seemingly harmless
NULL pointer dereferences, writes to bogus addresses, reads from
unallocated memory, and various other signs of memory corruption typical
of such race conditions. The exact mode of crash depends on precise
timing and the contents of browser memory (previously / concurrently
displayed pages, contents of the rest of the document), but this is
obviously well within the control of a determined attacker.

As such, it is my guess that although (as with all race conditions) this
would be fairly hard to exploit remotely in a reliable way, it is within
the realm of possibility.

A quick "vanilla" but reasonably reliable demo that will probably freeze
then crash your browser on a NULL pointer dereference (or sometimes a
mangled target pointer on REP MOVSW or something along these lines, if
you came there from some other website) can be found at:

  http://lcamtuf.coredump.cx/iediex/iediex.html

...try using the 'genie.sh' utility provided in the same directory to
generate more elaborate test cases that, combined with additional
contents of the pages will likely trigger more interesting memory
corruption scenarios.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ