Wednesday, June 30, 2010

ZeroDay: Microsoft IE 'mshtml.dll' Remote Information Disclosure Vulnerability

Original Public Advisory

Sometimes, exploit writers would kill for a fixed address to pivote from. Nowadays, the days of ASLR and DEP, any memory leak is welcome. Yesterday, Stefano Di Paola posted the following tweet After elaborating that weird behaviour I discovered a flaw in mshtml.dll, exploitable via Internet Explorer. In VBScript/JScript there are at least two functions that make use of timers: setTimeout and setInterval. According to the documentation, the return value should be a Timer ID. In Chrome and FF [Firefox] this ID is pure sequential (1,2,3,4...) but in IE I was getting "weird" IDs. Later on I discovered that those IDs turned out to be a heap address plus a counter.


Products affected: XP/Vista/Windows7 32/64 bit. IE8. IE9 is not vulnerable.


In plain English, this technique could be used to bypass ASLR or at least make it a less effective protection layer.

More info here.

No comments:

Post a Comment