lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ae22d37c-d886-88c3-8f00-982952f78b7a@nwever.nl>
Date: Tue, 15 Nov 2016 10:15:11 +0100
From: Berend-Jan Wever <berendj@...ver.nl>
To: fulldisclosure@...lists.org, Bugtraq <bugtraq@...urityfocus.com>
Subject: [FD] Microsoft Edge edgehtml CAttr­Array::Destroy use-after-free details

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
eleventh entry in that series. Unfortunately I won't be able to publish
everything within one month at the current rate, so I may continue to
publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161115001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Microsoft Edge edgehtml CAttrArray::Destroy use-after-free
==========================================================
(This fix and CVE number for this issue are not known)

Synopsis
--------
A specially crafted web-page can cause Microsoft Edge to free memory
used for a `CAttrArray` object. The code continues to use the data in
freed memory block immediately after freeing it. It does not appear that
there is enough time between the free and reuse to exploit this issue.

Known affected software and attack vectors
------------------------------------------
* Microsoft Edge 11.0.10240.16384
  An attacker would need to get a target user to open a specially
  crafted web-page. JavaScript is not necessarily required to trigger
  the issue.

Description
-----------
When an element is created and style properties are added, these are
stored in a `CAttrArray` object. A new `CAttrArray` is able to store up
to 8 properties. If more properties need to be stored, the code will
allocate memory for a larger `CAttrArray` and copy the existing
properties into this new object before freeing the old memory. The code
will then continue to use the freed memory almost immediately. In the
first repro, the "font" style property is the ninth property and
triggers this issue. In the second repro, the only property of a
`CAttrArray` is removed, at which point it is freed but no new object
is allocated. However, the code follows the same path and also reuses
the freed memory.

Exploit
-------
What little investigation I did appears to indicate that there is no way
to reallocate the freed memory before its reuse. It is therefore
probably not possible to exploit this issue that way. I did not
investigate how the freed memory is used by the code exactly, and I did
not look into other methods to exploit the issue. I did create a second
repro that triggers the issue "on-demand" from Javascript but, as is to
be expected, no Javascript is executed between the free and the re-use.

Time-line
---------
* September 2015: This vulnerability was found through fuzzing.
* September 2015: This vulnerability was submitted to ZDI.
* September 2015: This vulnerability was rejected by ZDI.
* November 2016: The issue no longer reproduces in Microsoft Edge.
* November 2016: Details of this issue are released.

Cheers,

SkyLined

Download attachment "0x2557C5AA.asc" of type "application/pgp-keys" (2036 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ