【OOB】MSHTML!CPaste­Command::Convert­Bitmapto­Png heap-based buffer overflow學習

Ox9A82發表於2017-01-18

IE 11 MSHTML!CPaste­Command::Convert­Bitmapto­Png heap-based buffer overflow學習

MS14-056, CVE-2014-4138

Time-line

8 May 2014: This vulnerability was submitted to ZDI.
9 June 2014: This vulnerability was acquired by ZDI.
23 June 2014: This vulnerability was disclosed to Microsoft by ZDI.
14 October 2014: This vulnerability was address by Microsoft in MS14-056.
21 December 2016: Details of this vulnerability are released.

越界訪問漏洞
版本:Microsoft Internet Explorer 11.0.9600.16521

概述

圖片被貼上到IE11中,會把BMP格式轉換成PNG格式,MSHTML!CPaste­Command::Convert­Bitmapto­Png函式執行這個操作。
這個函式使用BMP圖片的大小來儲存轉換好的PNG圖片,如果轉換後的PNG大於BMP則會發生溢位

CPaste­Command::Convert­Bitmapto­Png 虛擬碼

  函式原型
    Convert­Bitmapto­Png(
      [IN] VOID* po­Bitmap, 
      UINT u­Bitmap­Size,
      [OUT] VOID** ppo­Png­Image, 
      UINT* pu­Png­Image­Size
    ) 
    
    {
      // BMP到PNG的轉換
      CMem­Stm* po­CMem­Stm;
      IWICStream* po­Wic­Bitmap;
      STATSTG o­Stat­Stg;
      TSmart­Array<unsigned char> po­Png­Image;
      UINT u­Read­Size;
      // Create a CMem­Stm for the PNG image.
      Create­Stream­On­HGlobal(NULL, True, po­CMem­Stm);
      // Create an IWICStream from the BMP image.
      Initialize­From­Memory(po­Bit­Map, u­Bitmap­Size,
          &GUID_­Container­Format­Bmp, &po­Wic­Bitmap)));
      // Write BMP image in IWICStream to PNG image in CMem­Stm
      Write­Wic­Bitmap­To­Stream(po­Wic­Bitmap, &GUID_­Container­Format­Png, po­CMem­Stm);
      // Get size of PNG image in CMem­Stm and save it to the output variable.
      o­CMem­Stm->Stat(&o­Stat­Stg, 0);
      *pu­Png­Image­Size = o­Stat­Stg.cb­Size.Low­Part;
      // Allocate memory for the PNG
      //這一句產生問題,使用了BMP的大小給PNG分配記憶體
      po­Png­Image->New(u­Bitmap­Size);
      // Go to start of PNG image in CMem­Stm
      po­CMem­Stm->Seek(0, STREAM_­SEEK_­SET, NULL, &p­Position­Low);
      // Read PNG image in CMem­Stm to allocated memory.
      //這一句讀入PNG的內容,導致溢位
      po­CMem­Stm->Read(po­Png­Image, *pu­Png­Image­Size, &u­Read­Size);
      // Save location of allocated memory with PNG image to output variable.
      *ppo­Png­Image = po­Png­Image;
    }

POC

只有用js實現圖片複製的指令碼,圖片本身需要另外生成

這個洞因為沒有完整的POC所以我沒有調,但是其實作者在概述裡已經說的很清楚了,這個洞的成因比較有意思放在這裡開闊一下思路。

相關文章