2012年(272)
分类: 网络与安全
2012-06-25 16:53:27
The bug was an invalid pointer dereference in MSHTML.DLL when the code handles data binding. It's important to point out that there is no heap corruption and there is no heap-based buffer overrun!
When data binding is used, IE creates an object which contains an array of data binding objects. In the code in question, when a data binding object is released, the array length is not correctly updated leading to a function call into freed memory.
The vulnerable code looks a little like this (by the way, the real array name is _aryPXfer, but I figured ArrayOfObjectsFromIE is a little more descriptive for people not in the Internet Explorer team.)
int MaxIdx = ArrayOfObjectsFromIE.Size()-1;
for (int i=0; i <= MaxIdx; i++) {
if (!ArrayOfObjectsFromIE[i])
continue;
ArrayOfObjectsFromIE[i]->TransferFromSource();
...
}
Here's how the vulnerability manifests itself: if there are two data transfers with the same identifier (so MaxIdx is 2), and the first transfer updates the length of the ArrayOfObjectsFromIE array when its work was done and releases its data binding object, the loop count would still be whatever MaxIdx was at the start of the loop, 2.
This is a time-of-check-time-of-use (TOCTOU) bug that led to code calling into a freed memory block. The Common Weakness Enumeration (CWE) classification for this vulnerability is .
The fix was to check the maximum iteration count on each loop iteration rather than once before the loop starts; this is the correct fix for a TOCTOU bug - move the check as close as possible to the action because, in this case, the array size might change.
同类型漏洞
很难静态代码分析或者代码review找出来这个漏洞,微软也不知道漏洞怎么发现的,有安全界人士说是fuzz出来的。
这种漏洞类型才是值得关注的,虽然是老东西了,但是也许会在其他地方再次发现这类问题。
漏洞利用,本来捕获的样本里,有个很牛B的shellcode,void在他的blog上分析了,不过好像planet没有聚合
我这里摘一下:
这就是传说中的通用不挂IE shellcode。
void写的blog: http://hi.baidu.com/54nop/blog/item/fb02e0fb945a07254e4aea2a.html
最后还是漏洞的利用,有在doc文件里利用的,
参见mcafee的一篇blog:
Upon opening the word document the embedded ActiveX control with the following classid is instantiated and executed.
This control stores configuration data for the policy setting Microsoft Scriptlet Component.
The control then makes a request to the webpage hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal Doc file.
