lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 17 Jan 2010 23:35:03 -0600
Subject: Code to mitigate IE event zero-day (CVE-2010-0249)

Here's a mitigation for the CVE-2010-0249 IE createEventObject
srcElement zero-day.  Quite simply, it just disables the
createEventObject method by mangling its name in memory.  If anyone
knows an important web application that uses createEventObject,
*please* respond to the mailing list.

Use this code at your own risk.  It could contain mistakes, cause
problems with other software, and fail to protect your computer.

I've done some very basic testing on the following configurations:

 * Windows 2000 SP4, IE6 SP1
 * Windows XP (x86) SP3, IE 6 SP3
 * Windows XP (x86) SP3, IE 7
 * Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit)
 * Windows XP x64 SP1, IE 7 (32-bit and 64-bit)
 * Windows XP x64 SP2, IE 7 (32-bit and 64-bit)
 * Windows XP x64 SP2, IE 8 (32-bit and 64-bit)
 * Windows Vista (x86) SP2, IE 7
 * Windows Vista (x86) SP2, IE 8

So far, I haven't been able to bypass the mitigation.  I've tried 'for
(var n in document)' to discover the mangled method name (doesn't
enumerate it), I've tried 'document.x' in case the invalid surrogate
characters are ignored (doesn't work), and I've tried
'eval("document.x\ud...")' and 'eval(unescape("document.x%ud..."))'
(IE gives an "Invalid character" error).  So do your worst.

To test the mitigation, you can use this pared-down proof-of-concept:

  [body onload="for(var i=0; i!=10000; i++) ev.srcElement"]
  [img src=. onerror="ev=createEventObject(event); outerHTML++"]

(Of course, replace [ and ] with < and > above.  The 'for' loop is
just a kludge to make it more likely to crash.)

If you're interested in researching the vulnerability (using this
PoC), breakpoint MSHTML!CImgElement::CImgElement, then run until
MSHTML!CTreeNode::CTreeNode is hit -- this tree node is freed during
MSHTML!CImgHelper::Fire_onerror, but is later accessed during

-- Derek

View attachment "ieceo1.cpp.txt" of type "text/plain" (14138 bytes)

Powered by blists - more mailing lists