[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7593cf141001172135qcf83691oefe1d1ec4149e774@mail.gmail.com>
Date: Sun, 17 Jan 2010 23:35:03 -0600
From: ds.adv.pub@...il.com
To: bugtraq@...urityfocus.com
Subject: Code to mitigate IE event zero-day (CVE-2010-0249)
Here's a mitigation for the CVE-2010-0249 IE createEventObject
srcElement zero-day. Quite simply, it just disables the
createEventObject method by mangling its name in memory. If anyone
knows an important web application that uses createEventObject,
*please* respond to the mailing list.
Use this code at your own risk. It could contain mistakes, cause
problems with other software, and fail to protect your computer.
I've done some very basic testing on the following configurations:
* Windows 2000 SP4, IE6 SP1
* Windows XP (x86) SP3, IE 6 SP3
* Windows XP (x86) SP3, IE 7
* Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit)
* Windows XP x64 SP1, IE 7 (32-bit and 64-bit)
* Windows XP x64 SP2, IE 7 (32-bit and 64-bit)
* Windows XP x64 SP2, IE 8 (32-bit and 64-bit)
* Windows Vista (x86) SP2, IE 7
* Windows Vista (x86) SP2, IE 8
So far, I haven't been able to bypass the mitigation. I've tried 'for
(var n in document)' to discover the mangled method name (doesn't
enumerate it), I've tried 'document.x' in case the invalid surrogate
characters are ignored (doesn't work), and I've tried
'eval("document.x\ud...")' and 'eval(unescape("document.x%ud..."))'
(IE gives an "Invalid character" error). So do your worst.
To test the mitigation, you can use this pared-down proof-of-concept:
[body onload="for(var i=0; i!=10000; i++) ev.srcElement"]
[img src=. onerror="ev=createEventObject(event); outerHTML++"]
(Of course, replace [ and ] with < and > above. The 'for' loop is
just a kludge to make it more likely to crash.)
If you're interested in researching the vulnerability (using this
PoC), breakpoint MSHTML!CImgElement::CImgElement, then run until
MSHTML!CTreeNode::CTreeNode is hit -- this tree node is freed during
MSHTML!CImgHelper::Fire_onerror, but is later accessed during
MSHTML!CEventObj::get_srcElement.
-- Derek
View attachment "ieceo1.cpp.txt" of type "text/plain" (14138 bytes)
Powered by blists - more mailing lists