by binjo of code audit labs of vulnhunt.com
一个影响IE8及以上版本的0day被国外某网站所披露,它通过挂马方式,针对CFR(Council on Foreign Relations)网站的用户进行定向攻击。
我们在@eromang及@yomuds的帮助下,并对其进行简单分析。我们发现其本质是对象释放后重用,引发内存崩溃,通过精心构造堆内存,攻击者可执行任意代码。
0:008> g (ccc.d24): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=10ab0d0c ebx=0021e968 ecx=00000052 edx=00000000 esi=00000000 edi=00234568 eip=3dc66271 esp=016ad79c ebp=016ad80c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CMarkup::OnLoadStatusDone+0x504: 3dc66271 call dword ptr [eax+0DCh] ds:0023:10ab0de8=????????
IE8在渲染页面时,生成mshtml!CButton对象实例,并把对象指针保存在CDoc对象中。
该mshtml!CButton对象在垃圾回收时被释放,而其在CDoc对象中的引用并没有释放。
0:017> ba w1 234568 0:017> g Breakpoint 4 hit eax=3db50d10 ebx=009ac4f8 ecx=00234568 edx=00000000 esi=00234568 edi=00000000 eip=3de94aef esp=016aa47c ebp=016aa480 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CButton::`vector deleting destructor'+0xe: 3de94aef mov dword ptr [esi+28h],offset mshtml!CButton::`vftable' (3db582e0) ds:0023:00234590={mshtml!CButton::`vftable' (3db582e0)} 0:008> kb ChildEBP RetAddr Args to Child 016aa480 3db80ad9 00000001 3db80abf 00000000 mshtml!CButton::`vector deleting destructor'+0xe 016aa488 3db80abf 00000000 00234568 016aa4ac mshtml!CBase::SubRelease+0x22 016aa498 3db5e76d 00234568 00000001 0019dae0 mshtml!CBase::PrivateRelease+0x3c 016aa4ac 3db5a976 00234568 0019dae0 016aa4d4 mshtml!CElement::PrivateRelease+0x29 016aa4bc 3db7709c 0019dae0 009a5278 00000001 mshtml!PlainRelease+0x25 016aa4d4 3e365194 0019dae0 00000001 3e364b8c mshtml!PlainTrackerRelease+0x14 016aa4e0 3e364b8c 009ab860 009a3ad8 00000000 jscript!VAR::Clear+0x5c 016aa508 3e3655b9 00000000 00000000 0015ab28 jscript!GcAlloc::ReclaimGarbage+0x91 016aa524 3e364d08 00000002 016aa598 00000000 jscript!GcContext::Reclaim+0xab 016aa538 3e364bfd 016aa598 009ad9e0 3e3f2dc8 jscript!GcContext::CollectCore+0x113 016aa54c 3e3d471d 016aa5a8 3e374327 009abd10 jscript!GcContext::Collect+0x51 016aa554 3e374327 009abd10 016aa5f8 016aa598 jscript!JsCollectGarbage+0x1d 016aa5bc 3e374aac 00000000 00000000 009acde0 jscript!NatFncObj::Call+0x103 016aa640 3e3728c5 009a45b8 009abd10 00000001 jscript!NameTbl::InvokeInternal+0x137
攻击者通过精心构造的堆布局数据,占用被释放的对象内存,后续window.location产生页面重新渲染时,引发对象重引用, 从而控制eip,执行任意代码。
0:008> bc 4 0:008> g after calling mshtml!CElement::FindDefaultElem... eax=00234568 ebx=0021e968 ecx=00000052 edx=00000000 esi=00000000 edi=0021e968 eip=3dac4229 esp=016ad7a0 ebp=016ad80c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CMarkup::OnLoadStatusDone+0x4e1: 3dac4229 mov edi,eax 0:008> du eax 00234568 "??https://www.google.com/setting" 002345a8 "s/account" 0:008> db eax 00234568 0c 0d ab 10 68 00 74 00-74 00 70 00 73 00 3a 00 ....h.t.t.p.s.:. 00234578 2f 00 2f 00 77 00 77 00-77 00 2e 00 67 00 6f 00 /./.w.w.w...g.o. 00234588 6f 00 67 00 6c 00 65 00-2e 00 63 00 6f 00 6d 00 o.g.l.e...c.o.m. 00234598 2f 00 73 00 65 00 74 00-74 00 69 00 6e 00 67 00 /.s.e.t.t.i.n.g. 002345a8 73 00 2f 00 61 00 63 00-63 00 6f 00 75 00 6e 00 s./.a.c.c.o.u.n. 002345b8 74 00 00 00 00 00 00 00-a8 0f a6 ea 00 01 0c ff t............... 002345c8 30 0b 0c 0c 68 00 74 00-74 00 70 00 73 00 3a 00 0...h.t.t.p.s.:. 002345d8 2f 00 2f 00 77 00 77 00-77 00 2e 00 67 00 6f 00 /./.w.w.w...g.o. 0:008> g (ccc.d24): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=10ab0d0c ebx=0021e968 ecx=00000052 edx=00000000 esi=00000000 edi=00234568 eip=3dc66271 esp=016ad79c ebp=016ad80c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CMarkup::OnLoadStatusDone+0x504: 3dc66271 call dword ptr [eax+0DCh] ds:0023:10ab0de8=????????
部分攻击代码已可在internet中搜索得到,相信该0day很快将被大面积应用,用户请先使用google chrome、firefox等非IE浏览器,避免潜在的威胁。我们将持续关注该0day漏洞后续情况,敬请关注!
参考链接:
更新:
12/30:微软针对该漏洞已发布公告,并给出临时解决方案,正式补丁还未给出。