1 www-client/opera < 9.23 >= 9.23
Description
===========
An error known as "a virtual function call on an invalid pointer" has
been discovered in the JavaScript engine (CVE-2007-4367). Furthermore,
iDefense Labs reported that an already-freed pointer may be still used
under unspecified circumstances in the BitTorrent support
(CVE-2007-3929). At last, minor other errors have been discovered,
relative to memory read protection (Opera Advisory 861) and URI
should be no other side effects. That would also mean that the
mechanism of the vulnerability is entirely reliable.)
I've confirmed that every Internet Explorer 7 x86 MSHTML.DLL is
potentially exploitable -- none of them contain a vtable slot with bit
15 set. (The virtual function pointers in question all match either
xxxx0xxx, xxxx4xxx, xxxx5xxx, xxxx6xxx, or xxxx7xxx.)
If you'd like to research this vulnerability more for yourself, you
can breakpoint CStyleSheetArray::ReleaseStyleSheet (called during
system's version of MSHTML.DLL, and all but rules out successful
exploitation in 64-bit Internet Explorer.
The mitigation works by replacing one function pointer in the vtable
with a pointer for which the low 2 bytes are 0xCCCC, but at which the
code is functionally equivalent. Legitimate virtual function calls
work will as usual, while exploitation attempts will arrive at EIP =
0xCCCCxxxx (not exploitable) rather than 0xyyyyxxxx (exploitable for
some yyyy).
The following snippet is a pared-down, harmless proof-of-concept to
