IE 11 MSHTML!CPasteCommand::ConvertBitmaptoPng heap-based buffer overflow學習
MS14-056, CVE-2014-4138
Time-line
8 May 2014: This vulnerability was submitted to ZDI.
9 June 2014: This vulnerability was acquired by ZDI.
23 June 2014: This vulnerability was disclosed to Microsoft by ZDI.
14 October 2014: This vulnerability was address by Microsoft in MS14-056.
21 December 2016: Details of this vulnerability are released.
越界訪問漏洞
版本:Microsoft Internet Explorer 11.0.9600.16521
概述
圖片被貼上到IE11中,會把BMP格式轉換成PNG格式,MSHTML!CPasteCommand::ConvertBitmaptoPng函式執行這個操作。
這個函式使用BMP圖片的大小來儲存轉換好的PNG圖片,如果轉換後的PNG大於BMP則會發生溢位
CPasteCommand::ConvertBitmaptoPng 虛擬碼
函式原型
ConvertBitmaptoPng(
[IN] VOID* poBitmap,
UINT uBitmapSize,
[OUT] VOID** ppoPngImage,
UINT* puPngImageSize
)
{
// BMP到PNG的轉換
CMemStm* poCMemStm;
IWICStream* poWicBitmap;
STATSTG oStatStg;
TSmartArray<unsigned char> poPngImage;
UINT uReadSize;
// Create a CMemStm for the PNG image.
CreateStreamOnHGlobal(NULL, True, poCMemStm);
// Create an IWICStream from the BMP image.
InitializeFromMemory(poBitMap, uBitmapSize,
&GUID_ContainerFormatBmp, &poWicBitmap)));
// Write BMP image in IWICStream to PNG image in CMemStm
WriteWicBitmapToStream(poWicBitmap, &GUID_ContainerFormatPng, poCMemStm);
// Get size of PNG image in CMemStm and save it to the output variable.
oCMemStm->Stat(&oStatStg, 0);
*puPngImageSize = oStatStg.cbSize.LowPart;
// Allocate memory for the PNG
//這一句產生問題,使用了BMP的大小給PNG分配記憶體
poPngImage->New(uBitmapSize);
// Go to start of PNG image in CMemStm
poCMemStm->Seek(0, STREAM_SEEK_SET, NULL, &pPositionLow);
// Read PNG image in CMemStm to allocated memory.
//這一句讀入PNG的內容,導致溢位
poCMemStm->Read(poPngImage, *puPngImageSize, &uReadSize);
// Save location of allocated memory with PNG image to output variable.
*ppoPngImage = poPngImage;
}
POC
只有用js實現圖片複製的指令碼,圖片本身需要另外生成
這個洞因為沒有完整的POC所以我沒有調,但是其實作者在概述裡已經說的很清楚了,這個洞的成因比較有意思放在這裡開闊一下思路。