address that could fall within the heap-sprayable zone. It's not a
patch, or a "fix" in any pure sense -- it's just a mitigation.
The vulnerability details I've figured out are that
MSHTML!CDispNode::SetExpandedClipRect ORs a CDispScroller instance's
vtable pointer by 2, then MSHTML!CLayout::GetFirstContentDispNode
tries to call a function (at +2Ch on IE 6, +30h on IE 7) from the
vtable. This makes exploitability completely dependent on the
system's version of MSHTML.DLL, and all but rules out successful
exploitation in 64-bit Internet Explorer.
freed object can lead to running attacker-supplied code."
However, I have not found any evidence of accessing freed memory -- as
far as I can tell, the problem is a logic bug. The CDispNode family
of classes contains a flags field that happens to be located
immediately after the vtable pointer, the lowest four bits of which
I'll refer to as the "extra size index."
CDispNode::SetExpandedClipRect uses the extra size index of a class
instance as an index into CDispNode::_extraSizeTable, a constant array
where each element represents a count of machine words of, I guess,
extra data that precedes the class instance. (This means that a
allocate for a heap buffer. This eventually leads to undersized buffer
being allocated to hold a 'CDispClipNode' object in the
'CLayout::EnsureDispNodeCore' function. The vulnerability manifests
itself when the 'CDispNode::SetExpandedClipRect' function attempts to
use the invalid "extra size" to calculate an offset into the object,
and manipulate a bit at this location. This corrupts the objects VTABLE
by setting the 2nd bit to 1, which can lead to the execution of
arbitrary code when this pointer is later accessed.
III. ANALYSIS
If we fill "hn" parameter (HostName) with more than 0x20 bytes, we can
start to overwrite data in the stack. By constructing a hostname of 0x60
bytes we can overwrite a pointer to an vtable of application's
subclassing methods, this can be used to achieve code execution by
emulating a vtable under our control. 0x60 is not an arbitrary value, it
allows us to get %esi pointing to the last 0x20 (approximately) bytes of
our shellcode. The flaw is triggered when the admin double-clicks in the
list box item.
execute arbitrary code with the privileges of the current user.
The vulnerability occurs when a certain property of an HTML element is
reset via JavaScript code. When this occurs, a C++ object is
incorrectly accessed after it has been freed. This results in an
attacker controlled value being used as a C++ VTABLE, which leads to
the execution of arbitrary code.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
Chrome browsers to parse and render web content.
The vulnerability occurs when the a certain property of an HTML element
with a caption is reset via JavaScript code. When this occurs, a C++
object is incorrectly accessed after it has been freed. This results in
an attacker controlled value being used as a C++ VTABLE, which leads to
the execution of arbitrary code.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the current user.
The vulnerability occurs when the 'ondatasetcomplete' event method of a
timeChildren object is referenced. If this occurs when the object is in
an inconsistent state, a heap chunk will be freed, and then reused after
being freed. This results in an uninitialized VTABLE being used, which
can result in the execution of arbitrary code when the pointer is
dereferenced.
III. ANALYSIS
