[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GreenBrowser iframe content Double Free Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: GreenBrowser iframe content Double Free Vulnerability
From: vuln@xxxxxxxxxxx
Date: Thu, 12 Jan 2012 07:02:19 GMT

GreenBrowser searchbar <iframe> content Double Free Vulnerability
------------------------------------------------------------------
I. Summary
All versions of GreenBrowser is prone to a vulnerability which leads to 
arbitrary code execution. A Double Free of iframe object is triggered by its 
shortcut button F6 (use to search the content of current page). A simple poc 
html that cause the corruption contains: <iframe 
src="Any_File_Will_Do.swf"></iframe>
Other file extension such as xml may tigger this corruption either. Open this 
page and press F6 (this is the shortcut button to use searchbar), then press F5 
to refresh this page, an error window of memory corruption will pop up. Close 
this page, close the whole GreenBrowser or jump to another page also trigger 
the problem since this double free occurs when iframe object is released.
------------------------------------------------------------------
II. Description
GreenBrowser is a IEcore based browser. A specified crafted page could lead to 
the execution of shellcode. Using some JavaScript to refresh the page can let 
shellcode execute automatically after a press of F6.
Search bar exists in many browsers, used mostly for a quick search over 
different searching engine such as Google and Bing. GreenBrowser defines a 
shortcut button F6 used to search the content of current web page (including 
the content inside iframe) for text inside the search bar. After a press of F6 
for a web page with a iframe points to a flash or xml, GreenBrowser will call 
ieframe.dll!CFindEngine::DisconnectDocument then 
mshtml.dll!CDocument::PrivateRelease. When the page is refreshing or closing, 
GreenBrowser will call mshtml.dll!CDocument::PrivateRelease to release the 
iframe object  again. Since CDocument object has already been released once, 
another call of CDocument::PrivateRelease will use a released memory (could be 
shellcode using HeapSpray) as virtual function table, thus leading to a code 
execution vulnerability. Advanced memory attacking techniques such as 
HeapFengShui or JIT-Spray could be used to build a stable exploit. 

A detailed analysis and a POC of this vulnerability could be downloaded from 
here:
http://www.hhjack.com.cn/report/GreenBrowserDF.rar (18.5 MB).
Old and lastest version of GreenBrowser has been tested under Windows 7 and 
Windows XP.
------------------------------------------------------------------
III. Impact
Code execution
------------------------------------------------------------------
IV. Affected
All versions of GreenBrowser up to latest 6.0.1002 with Windows XP and Windows 
7.
Other versions of windows may also be affected.
------------------------------------------------------------------
V. Solution
There is no known workaround at this time.
------------------------------------------------------------------
VI. Credit
The penetration test team Of NCNIPC (China) is credited for this vulnerability.

Prev by Date: [security bulletin] HPSBPI02698 SSRT100404 rev.2 - HP Easy Printer Care Software Running on Windows, Remote Execution of Arbitrary Code
Next by Date: [SECURITY] [DSA 2386-1] openttd security update
Previous by thread: [security bulletin] HPSBPI02698 SSRT100404 rev.2 - HP Easy Printer Care Software Running on Windows, Remote Execution of Arbitrary Code
Next by thread: [SECURITY] [DSA 2386-1] openttd security update
Index(es):
- Date
- Thread