lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BLU177-W10B78914FF9CE653335896C3670@phx.gbl>
Date: Sun, 14 Jul 2013 19:39:59 -0700
From: Yuhong Bao <yuhongbao_386@...mail.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: How I found CVE-2013-1310 in IE6 and IE7

(this is the plain text version of http://yuhongbao.blogspot.ca/2013/07/how-i-found-cve-2013-1310.html)

>From http://www.satzansatz.de/cssd/pseudocss.html under "Application instability: another element adjacent to the pseudo-element":
"Now, when such a .ipsum construct gains "layout" by a subset of layout properties (position: absolute; / float: any value; / display: inline-block; / zoom: 1;), what will happen? Right. Some will have to cancel the frozen process, others will have to reboot, data gets lost. Don't do it. (No, I don't link to a testcase here. IE7b3 is still crashing after scrolling/resizing. Depending on the memory already burned, you might have difficulties to stop the process...)"

I created this test manually (save http://www.satzansatz.de/cssd/pseudocss/pseudocss_t004.html and add zoom: 1 to .ipsum) and not only this bug is still in final IE7, I also noticed that there is also a potentially exploitable crash bug by opening the about box after opening this page. When this happens, it crashes with EIP at an address like 0x790070.

After this, by adding onclick="window.showModalDialog('target.htm')" to <p class="ipsum">, creating the target.htm, then opening the page and clicking inside the box, I triggered various crashes including attempts at executing data (note that IE7 do not enable DEP by default) and heap termination on corruption.

I turned full pageheap on and after I did so it crashes reliably at:
(360.51c): Access violation - code c0000005 (first/second chance not available)
eax=00000004 ebx=08042e78 ecx=0000000a edx=065acfa0 esi=08042e78 edi=065289c0
eip=3ceff096 esp=04d04ba8 ebp=04d04bf8 iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000                  efl=00000246
mshtml!CLineCore::AssignLine+0x37:
3ceff096 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

MS fixed this bug in the May 2013 Cumulative Update for IE6 and IE7.

Here is http://www.satzansatz.de/cssd/pseudocss.html rendered in IE6 and IE7 before the patch:
http://imgur.com/qrcpNua

After the patch (notice it is the same rendering as IE8+ in IE7 compat mode):
http://imgur.com/BY6MTFc

Yuhong Bao 		 	   		  
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ