How I found CVE-2013-1310 in IE6 and IE7
From http://www.satzansatz.de/cssd/pseudocss.html#fltadjacent:
"Now, when such a .ipsum construct gains "layout" by a subset of layout properties (position: absolute; / float: any value; / display: inline-block; / zoom: 1;), what will happen? Right. Some will have to cancel the frozen process, others will have to reboot, data gets lost. Don't do it. (No, I don't link to a testcase here. IE7b3 is still crashing after scrolling/resizing. Depending on the memory already burned, you might have difficulties to stop the process...)"
I created this test manually (save http://www.satzansatz.de/cssd/pseudocss/pseudocss_t004.html and add zoom: 1 to .ipsum) and not only this bug is still in final IE7, I also noticed that there is also a potentially exploitable crash bug by opening the about box after opening this page. When this happens, it crashes with EIP at an invalid address.
After this, by adding onclick="window.showModalDialog('target.htm')" to <p class="ipsum">, creating the target.htm, then opening the page and clicking inside the box, I triggered various crashes including attempts at executing data (note that IE7 do not enable DEP by default) and heap termination on corruption.
I turned full pageheap on and after I did so it crashes reliably at:
MS fixed this bug in the May 2013 Cumulative Update for IE6 and IE7.
Here is http://www.satzansatz.de/cssd/pseudocss/pseudocss_t004.html rendered in IE6 and IE7 before the patch:
After the patch (notice it is the same rendering as IE8+ in IE7 compat mode):
"Now, when such a .ipsum construct gains "layout" by a subset of layout properties (position: absolute; / float: any value; / display: inline-block; / zoom: 1;), what will happen? Right. Some will have to cancel the frozen process, others will have to reboot, data gets lost. Don't do it. (No, I don't link to a testcase here. IE7b3 is still crashing after scrolling/resizing. Depending on the memory already burned, you might have difficulties to stop the process...)"
I created this test manually (save http://www.satzansatz.de/cssd/pseudocss/pseudocss_t004.html and add zoom: 1 to .ipsum) and not only this bug is still in final IE7, I also noticed that there is also a potentially exploitable crash bug by opening the about box after opening this page. When this happens, it crashes with EIP at an invalid address.
After this, by adding onclick="window.showModalDialog('target.htm')" to <p class="ipsum">, creating the target.htm, then opening the page and clicking inside the box, I triggered various crashes including attempts at executing data (note that IE7 do not enable DEP by default) and heap termination on corruption.
I turned full pageheap on and after I did so it crashes reliably at:
(360.51c): Access violation - code c0000005 (first/second chance not available) eax=00000004 ebx=08042e78 ecx=0000000a edx=065acfa0 esi=08042e78 edi=065289c0 eip=3ceff096 esp=04d04ba8 ebp=04d04bf8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CLineCore::AssignLine+0x37: 3ceff096 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MS fixed this bug in the May 2013 Cumulative Update for IE6 and IE7.
Here is http://www.satzansatz.de/cssd/pseudocss/pseudocss_t004.html rendered in IE6 and IE7 before the patch:
After the patch (notice it is the same rendering as IE8+ in IE7 compat mode):
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteGreat post! I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. https://timviecmarketing.com/uid-facebook-la-gi-meo-lay-uid-facebook-don-gian-nhat-2263.html
ReplyDelete