最新 IE 0day 漏洞,影响 IE 8 及以上版本,IE 8 及以上版本网马
new IE 0day coming-mshtml!CDwnBindInfo object use after free vulnerability -
一个影响IE8及以上版本的0day被国外某网站所披露,它通过挂马方式,针对CFR(Council on Foreign Relations)网站的用户进行定向攻击。
我们在@eromang及@yomuds的帮助下,并对其进行简单分析。我们发现其本质是mshtml!CDwnBindInfo对象释放后重用,引发内存崩溃,通过精心构造堆内存,攻击者可执行任意代码。
0:015> bl 0 e 3dc4ec35 0001 (0001) 0:**** mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c ".echo after init mshtml!CDwnBindInfo obj;du poi(esp+34);r;kb 3;" 2 eu 0001 (0001) (jscript!JsAtan2) ".printf \"%mu\", poi(poi(poi(esp+14)+8)+8);.echo;g" 0:015> g ......... fire in the hole!!! after init mshtml!CDwnBindInfo obj 022f5fc4 "http://blog.vulnhunt.com/" eax=032c3e80 ebx=00000000 ecx=00000000 edx=00000054 esi=00236a88 edi=08000000 eip=3dc4ec35 esp=016aa220 ebp=016aa248 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c: 3dc4ec35 test eax,eax ChildEBP RetAddr Args to Child 016aa248 3dce606e 00236a88 022f5fc4 022f5cac mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c 016aa340 3db8fbf5 001f73d8 00000000 00000000 mshtml!CDoc::FollowHyperlink2+0xa27 016aa3e8 3db8fb2c 001f73d8 00000000 00000040 mshtml!CWindow::FollowHyperlinkHelper+0x1ce eax=032c3e80 ebx=00000000 ecx=00000000 edx=00000054 esi=00236a88 edi=08000000 eip=3dc4ec35 esp=016aa220 ebp=016aa248 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c: 3dc4ec35 test eax,eax 0:008> bl 0 e 3dc4ec35 0001 (0001) 0:**** mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c ".echo after init mshtml!CDwnBindInfo obj;du poi(esp+34);r;kb 3;g" 1 d 032c3e80 w 1 0001 (0001) 0:**** 2 e 3e388f09 0001 (0001) 0:**** jscript!JsAtan2 ".printf \"%mu\", poi(poi(poi(esp+14)+8)+8);.echo;g" fire in the hole!!! object freed after init mshtml!CDwnBindInfo obj 002445ac "http://10.0.2.2:9090/??/happy/ne" 002445ec "w/year/from/blog.vulnhunt.com/" eax=032c2da0 ebx=00000000 ecx=00000000 edx=00000054 esi=00236a88 edi=08000000 eip=3dc4ec35 esp=016aa070 ebp=016aa098 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c: 3dc4ec35 test eax,eax ChildEBP RetAddr Args to Child 016aa098 3dce606e 00236a88 002445ac 022f5cac mshtml!CDoc::SetupDwnBindInfoAndBindCtx+0x2c 016aa190 3db8fbf5 001f7568 00000000 00000000 mshtml!CDoc::FollowHyperlink2+0xa27 016aa238 3db8fb2c 001f7568 00000000 00000040 mshtml!CWindow::FollowHyperlinkHelper+0x1ce (cfc.d28): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=10ab0d0c ebx=001fb488 ecx=00000052 edx=00000000 esi=00000000 edi=032c3e80 eip=3dc66271 esp=016ad79c ebp=016ad80c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CMarkup::OnLoadStatusDone+0x504: 3dc66271 call dword ptr [eax+0DCh] ds:0023:10ab0de8=????????
IE在渲染页面时,针对location.href的js调用,CDoc::SetupDwnBindInfoAndBindCtx会生成一个mshtml!CDwnBindInfo对象实例,并把对象指针保存在CDoc对象中。
HRESULT __cdecl CDoc::SetupDwnBindInfoAndBindCtx(int a1, int a2, HRESULT a3, int pcszURL, int a5, int a6, int a7, int a8, int a9, int a10, IBindCtx **ppBC, int a12, char a13, IUnknown *ppstgOpen) { … v58 = 0; if ( HeapAlloc(g_hProcessHeap, 8u, 0x54u) ) v22 = CDwnBindInfo::CDwnBindInfo(); /* allocated mshtml!CDwnBindInfo object */ else v22 = 0; *(_DWORD *)a10 = v22; if ( !v22 ) goto LABEL_145; lpString = (LPCWSTR)(a12 & 0x100); if ( a12 & 0x100 ) *(_DWORD *)(v22 + 80) |= 8u; if ( CDwnDoc::operator new() ) { v23 = CDwnDoc::CDwnDoc(); v57 = v23; }
该mshtml!CDwnBindInfo对象在mshtml!CDoc::FollowHyperlink2中被释放,而其在CDoc对象中的引用并没有释放。
0:008> ba w1 032c3e80 0:008> g Breakpoint 1 hit eax=02257130 ebx=00000000 ecx=032c3e80 edx=001794e8 esi=032c3e80 edi=032c3e80 eip=3db2b04c esp=016aa24c ebp=016aa25c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CDwnBindInfo::~CDwnBindInfo+0x11: 3db2b04c mov dword ptr [edi+10h],offset mshtml!CDwnBindInfo::`vftable' (3db5d634) ds:0023:032c3e90={mshtml!CDwnBindInfo::`vftable' (3db5d634)} 0:008> knL 10 # ChildEBP RetAddr 00 016aa250 3dc4ece5 mshtml!CDwnBindInfo::~CDwnBindInfo+0x11 01 016aa25c 3db2a92d mshtml!CDwnBindInfo::`scalar deleting destructor'+0xd 02 016aa268 3db2a91f mshtml!CBaseFT::SubRelease+0x1f 03 016aa274 3db2ac05 mshtml!CBaseFT::Release+0x22 04 016aa27c 3dc4ff0c mshtml!CDwnBindInfo::Release+0x10 05 016aa340 3db8fbf5 mshtml!CDoc::FollowHyperlink2+0xe22 06 016aa3e8 3db8fb2c mshtml!CWindow::FollowHyperlinkHelper+0x1ce 07 016aa440 3dc3933a mshtml!CWindow::NavigateEx+0x155 08 016aa4c0 3e373a9a mshtml!COmLocationProxy::InvokeEx+0x2ab 09 016aa500 3e3739e6 jscript!IDispatchExInvokeEx2+0xf8 0a 016aa53c 3e374f26 jscript!IDispatchExInvokeEx+0x6a 0b 016aa5fc 3e374e80 jscript!InvokeDispatchEx+0x98 0c 016aa630 3e372d6d jscript!VAR::InvokeByName+0x135 0d 016aa678 3e372921 jscript!VAR::InvokeDispName+0x7a 0e 016aa80c 3e3713ab jscript!CScriptRuntime::Run+0x2061 0f 016aa8f4 3e3712e5 jscript!ScrFncObj::CallWithFrameOnStack+0xff
攻击者通过精心构造的堆布局数据,占用被释放的对象内存,后续window.location产生页面重新渲染时,引发对象重引用, 从而控制eip,执行任意代码。
部分攻击代码已可在internet中搜索得到,相信该0day很快将被大面积应用,用户请先使用google chrome、firefox等非IE浏览器,避免潜在的威胁。我们将持续关注该0day漏洞后续情况,敬请关注!
参考链接:
2. http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html