Throughout November, I plan to release details on vulnerabilities I found in web-browsers which I've not released before. This is the eleventh entry in that series. Unfortunately I won't be able to publish everything within one month at the current rate, so I may continue to publish these through December and January. The below information is available in more detail on my blog at http://blog.skylined.nl/20161115001.html. Follow me on http://twitter.com/berendjanwever for daily browser bugs. Microsoft Edge edgehtml CAttrArray::Destroy use-after-free ========================================================== (This fix and CVE number for this issue are not known) Synopsis -------- A specially crafted web-page can cause Microsoft Edge to free memory used for a `CAttrArray` object. The code continues to use the data in freed memory block immediately after freeing it. It does not appear that there is enough time between the free and reuse to exploit this issue. Known affected software and attack vectors ------------------------------------------ * Microsoft Edge 11.0.10240.16384 An attacker would need to get a target user to open a specially crafted web-page. JavaScript is not necessarily required to trigger the issue. Description ----------- When an element is created and style properties are added, these are stored in a `CAttrArray` object. A new `CAttrArray` is able to store up to 8 properties. If more properties need to be stored, the code will allocate memory for a larger `CAttrArray` and copy the existing properties into this new object before freeing the old memory. The code will then continue to use the freed memory almost immediately. In the first repro, the "font" style property is the ninth property and triggers this issue. In the second repro, the only property of a `CAttrArray` is removed, at which point it is freed but no new object is allocated. However, the code follows the same path and also reuses the freed memory. Exploit ------- What little investigation I did appears to indicate that there is no way to reallocate the freed memory before its reuse. It is therefore probably not possible to exploit this issue that way. I did not investigate how the freed memory is used by the code exactly, and I did not look into other methods to exploit the issue. I did create a second repro that triggers the issue "on-demand" from Javascript but, as is to be expected, no Javascript is executed between the free and the re-use. Time-line --------- * September 2015: This vulnerability was found through fuzzing. * September 2015: This vulnerability was submitted to ZDI. * September 2015: This vulnerability was rejected by ZDI. * November 2016: The issue no longer reproduces in Microsoft Edge. * November 2016: Details of this issue are released. Cheers, SkyLined
Attachment:
0x2557C5AA.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/