lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 26 Mar 2015 14:02:03 +0100
From: Berend-Jan Wever <berendjanwever@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] 1501H - MSIE 8 - F12 Developer Tools tooltips use-after-free

​TL;DR: Full disclosure of low risk 0-day in MSIE 8 after 60-day deadline
passed
without a fix.

1501H - MSIE 8 - F12 Developer Tools tooltips use-after-free
=====================================

Synopsis
--------
When using the Developer Tools of MSIE 8, one might hover the mouse over a
button in the "Script" tab, at which point a "tooltip" is shown. If one then
clicks the button, a use-after-free occurs.

Known affected software and attack vectors
------------------------------------------
  + MSIE 8

    An attacker would need to get a target user to open a specially crafted
    webpage. The attacker would then need to trick the target user into
hovering
    the mouse over a button until the tooltip is shown and then click the
    button.

Description
-----------
Open a new tab, and then open the Developer Tools by pressing F12, or
selecting it from the "Tools" menu. Then select the "Scripts" tab in the
Developer Tools window. Next hover the mouse over one of the buttons with
the
text "Start Debugging", "Run Script" and "Multi Line Mode"/"Single Line
Mode".
When a tooltip is shown, click the button. Here's what happens next with
paged
heap enabled:

(4dc.814): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b507fd0 ebx=00000200 ecx=06a48ea0 edx=00000001 esi=06a48ea0
edi=09a21fd0
eip=7427c0d6 esp=0b40f98c ebp=0b40f98c iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
comctl32!CToolTipsMgr::PopBubble+0xc:
7427c0d6 8b400c          mov     eax,dword ptr [eax+0Ch]
ds:0023:0b507fdc=????????

1:019> kP
ChildEBP RetAddr
0b40f98c 7427aa85 comctl32!CToolTipsMgr::PopBubble+0xc
0b40f9b4 741fc26a comctl32!CToolTipsMgr::HandleRelayedMessage+0x117
0b40faec 741fbf57 comctl32!CToolTipsMgr::ToolTipsWndProc+0x944
0b40fb18 7651c4e7 comctl32!CToolTipsMgr::s_ToolTipsWndProc+0x32
0b40fb44 7651c5e7 USER32!InternalCallWinProc+0x23
0b40fbbc 76515294 USER32!UserCallWinProcCheckWow+0x14b
0b40fbfc 76515582 USER32!SendMessageWorker+0x4d0
0b40fc1c 741fc235 USER32!SendMessageW+0x7c
0b40fc58 741f42aa comctl32!RelayToToolTips+0x49
0b40fc78 741ff5ee comctl32!TTSubclassProc+0x33
0b40fcdc 741ff490 comctl32!CallNextSubclassProc+0x3d
0b40fd3c 7651c4e7 comctl32!MasterSubclassProc+0x54
0b40fd68 7651c5e7 USER32!InternalCallWinProc+0x23
0b40fde0 7651cc19 USER32!UserCallWinProcCheckWow+0x14b
0b40fe40 7651cc70 USER32!DispatchMessageWorker+0x35e
0b40fe50 6e8e98ef USER32!DispatchMessageW+0xf
WARNING: Stack unwind information not available. Following frames may be
wrong.
0b40fe84 6e8ee3fb iedvtool+0x598ef
0b40fe9c 76ceee1c iedvtool+0x5e3fb
0b40fea8 770c37eb kernel32!BaseThreadInitThunk+0xe
0b40fee8 770c37be ntdll!__RtlUserThreadStart+0x70
0b40ff00 00000000 ntdll!_RtlUserThreadStart+0x1b

1:019> !heap -p -a @eax
    address 0b507fd0 found in
    _DPH_HEAP_ROOT @ 161000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr
VirtSize)
                                    b5119f4:          b507000
2000
    6fb3947d verifier!AVrfDebugPageHeapReAllocate+0x0000036d
    7712620b ntdll!RtlDebugReAllocateHeap+0x00000033
    770ee4f0 ntdll!RtlReAllocateHeap+0x00000054
    741f27fe comctl32!CToolTipsMgr::AddTool+0x00000031
    741f28ca comctl32!CToolTipsMgr::ToolTipsWndProc+0x000009a4
    741fbf57 comctl32!CToolTipsMgr::s_ToolTipsWndProc+0x00000032
    7651c4e7 USER32!InternalCallWinProc+0x00000023
    7651c5e7 USER32!UserCallWinProcCheckWow+0x0000014b
    76515294 USER32!SendMessageWorker+0x000004d0
    76515582 USER32!SendMessageW+0x0000007c
    69cc8c71 jsdbgui+0x00028c71
    69cc8fa2 jsdbgui+0x00028fa2
    69cc903b jsdbgui+0x0002903b
    69cca6e2 jsdbgui+0x0002a6e2
    69cc5513 jsdbgui+0x00025513
    7651c4e7 USER32!InternalCallWinProc+0x00000023
    76535b7c USER32!UserCallDlgProcCheckWow+0x00000132
    765359f3 USER32!DefDlgProcWorker+0x000000a8
    7653a60e USER32!SendMessageWorker+0x00000340
    76515582 USER32!SendMessageW+0x0000007c
    741fc05d comctl32!CCSendNotify+0x000003e3
    741f364c comctl32!SendNotifyEx+0x00000063
    7427a9f4 comctl32!CToolTipsMgr::PopBubble+0x000000a3
    7427c016 comctl32!CToolTipsMgr::PopBubble+0x0000001c
    7427b50b comctl32!CToolTipsMgr::ShowVirtualBubble+0x00000010
    741fc26a comctl32!CToolTipsMgr::ToolTipsWndProc+0x00000944
    741fbf57 comctl32!CToolTipsMgr::s_ToolTipsWndProc+0x00000032
    7651c4e7 USER32!InternalCallWinProc+0x00000023
    7651c5e7 USER32!UserCallWinProcCheckWow+0x0000014b
    76515294 USER32!SendMessageWorker+0x000004d0
    76515582 USER32!SendMessageW+0x0000007c
    741fc235 comctl32!RelayToToolTips+0x00000049

Exploit
-------
Because the attacker vector appears highly unlikely to represent a risk to
any
user, I did not bother to do an in-depth investigation. However, the
use-after-
free occurs in the same process in which the web-page is rendered. This
suggests
that there may be a way for the web-page to reallocate the freed memory
before
its reuse and potentially exploit this issue. However, it appears that the
free
and re-use occur in a very short time span, which would make that rather
hard if
not impossible.

Notes
-----
I allow vendors 60 days to fix an issue, unless they can provide an adequate
reason for extending this deadline. Failure to meet a deadline without an
adequate explanation will normally result in public disclosure of
information
regarding the vulnerability to the general public.

Timeline
--------
23 January 2015: vulnerability discovered and reported to MSRC by email.
23 January 2015: email from MSRC acknowledges receipt of report.
25 March 2015: email to MSRC to notify them that deadline has been exceeded.
25 March 2015: Full disclosure of vulnerability details.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ