[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] How I found CVE-2013-1310 in IE6 and IE7
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] How I found CVE-2013-1310 in IE6 and IE7
- From: Yuhong Bao <yuhongbao_386@xxxxxxxxxxx>
- Date: Sun, 14 Jul 2013 19:39:59 -0700
(this is the plain text version
of http://yuhongbao.blogspot.ca/2013/07/how-i-found-cve-2013-1310.html)
From http://www.satzansatz.de/cssd/pseudocss.html under "Application
instability: another element adjacent to the pseudo-element":
"Now, when such a .ipsum construct gains "layout" by a subset of layout
properties (position: absolute; / float: any value; / display: inline-block; /
zoom: 1;), what will happen? Right. Some will have to cancel the frozen
process, others will have to reboot, data gets lost. Don't do it. (No, I don't
link to a testcase here. IE7b3 is still crashing after scrolling/resizing.
Depending on the memory already burned, you might have difficulties to stop the
process...)"
I created this test manually (save
http://www.satzansatz.de/cssd/pseudocss/pseudocss_t004.html and add zoom: 1 to
.ipsum) and not only this bug is still in final IE7, I also noticed that there
is also a potentially exploitable crash bug by opening the about box after
opening this page. When this happens, it crashes with EIP at an address like
0x790070.
After this, by adding onclick="window.showModalDialog('target.htm')" to <p
class="ipsum">, creating the target.htm, then opening the page and clicking
inside the box, I triggered various crashes including attempts at executing
data (note that IE7 do not enable DEP by default) and heap termination on
corruption.
I turned full pageheap on and after I did so it crashes reliably at:
(360.51c): Access violation - code c0000005 (first/second chance not available)
eax=00000004 ebx=08042e78 ecx=0000000a edx=065acfa0 esi=08042e78 edi=065289c0
eip=3ceff096 esp=04d04ba8 ebp=04d04bf8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mshtml!CLineCore::AssignLine+0x37:
3ceff096 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MS fixed this bug in the May 2013 Cumulative Update for IE6 and IE7.
Here is http://www.satzansatz.de/cssd/pseudocss.html rendered in IE6 and IE7
before the patch:
http://imgur.com/qrcpNua
After the patch (notice it is the same rendering as IE8+ in IE7 compat mode):
http://imgur.com/BY6MTFc
Yuhong Bao
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/