cve-2014-1776分析

2021-10-13 来源：客趣旅游网

0x0 前言

分析环境win7sp1+IE8

这是个典型的UAF的漏洞，我们利用已知的poc，分析一下这个漏洞的具体的原因。

0x1 分析原因

UAF的漏洞主要要找到释放对象和重用的地方。下面是笔者的分析笔记

挂上windbag，运行poc,IE出现异常，错误的原因是一个错误的内存地址的访问。

让windbg自动分析一下，!analyze -v,分析的结果，问题出在模块mshtml里面，是一个内存的访问错误。

CMarkup是一个对象，我们定位到IDA里的CMarkup::IsPendingPrimaryMarkUp函数函数很简短，函数的大概功能是检测CMarkup对象的某个属性，

如果为TRUE则返回1，这个是从函数的尾部跳转过来的

否则False返回0 函数尾部直接返回0了

也就是eax是个对象基地址，eax的第一个dword指向了一个虚表指针。

应为这是个UAF漏洞，需要定位几个点，对象创建位置，对象释放位置，对象重用的位置。因为页堆有记录堆上操作回溯的功能，

所以我们利用页堆去定位对象的申请，释放和重用的过程。

============================================================================================

开启PHA和UST，这个工具在windbg的目录下面，也可以用指令gflags /i iexplore.exe hpa

============================================================================================= 开启页堆之后，崩溃的地方就不一样了，

然后让windbg自动分析一下，结果是堆上一个地址的非法访问错误，

也就是这个地址访问出错了

找到相应的堆基础地址

仔细看一发生错误的函数IsConnectedToPrimaryMarkup,esi的值来自eax,也就是这个对象的this指针了，

这一点其实从IDA中看比较方便

那么这个问题的实质就是这个eax是错误的，也就是CMarkUp的对象内存出问题了。eax和esi的值是一样的，值都是对象的指针

因为我们开启了页堆，也就是堆内存的回溯。我们看一下这对象的申请和释放情况

我们可以看到，我们使用的对象所在的堆内存已经被释放了，所以导致之后对象属性访问的时候发生了崩溃，对这个对象的堆下断点

bp MSHTML!CMarkup::IsConnectedToPrimaryMarkUp +0x6\"!heap -p -a esi;g\" 对象追踪的结果

0:020> bp MSHTML!CMarkup::IsConnectedToPrimaryMarkUp+0x6 \"!heap -p -a esi;g\" 0:020> g

ModLoad: 6d850000 6d983000 C:\\Windows\\System32\\msxml3.dll address 0b688f30 found in _DPH_HEAP_ROOT @ 181000

in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) ce80104: b688f30 d0 - b688000 2000 mshtml!CMarkup::`vftable'

721f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77a65e26 ntdll!RtlDebugAllocateHeap+0x00000030 77a2a376 ntdll!RtlpAllocateHeap+0x000000c4 779f5ae0 ntdll!RtlAllocateHeap+0x0000023a

6a321f3b mshtml!CDoc::CreateMarkupFromInfo+0x000000e2 6a53c1be mshtml!COmWindowProxy::ExecRefresh+0x00000476 6a53bd3d mshtml!COmWindowProxy::ExecRefreshCallback+0x00000022

6a3c93c2 mshtml!GlobalWndOnMethodCall+0x000000ff 6a3be012 mshtml!GlobalWndProc+0x0000010c 764dc4e7 USER32!InternalCallWinProc+0x00000023 764dc5e7 USER32!UserCallWinProcCheckWow+0x0000014b 764dcc19 USER32!DispatchMessageWorker+0x0000035e 764dcc70 USER32!DispatchMessageW+0x0000000f

6e1f4bec IEFRAME!CTabWindow::_TabWindowThreadProc+0x0000054b 6e204f62 IEFRAME!LCIETab_ThreadProc+0x000002c1 768d5c2b iertutil!CIsoScope::RegisterThread+0x000000ab 765e3c45 kernel32!BaseThreadInitThunk+0x0000000e 77a037f5 ntdll!__RtlUserThreadStart+0x00000070 77a037c8 ntdll!_RtlUserThreadStart+0x0000001b

ModLoad: 6bfe0000 6c092000 C:\\Windows\\System32\\jscript.dll address 0b688f30 found in _DPH_HEAP_ROOT @ 181000

in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr ce80104: b688f30 d0 - b688000 mshtml!CMarkup::`vftable'

721f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77a65e26 ntdll!RtlDebugAllocateHeap+0x00000030 77a2a376 ntdll!RtlpAllocateHeap+0x000000c4 779f5ae0 ntdll!RtlAllocateHeap+0x0000023a

6a321f3b mshtml!CDoc::CreateMarkupFromInfo+0x000000e2 6a53c1be mshtml!COmWindowProxy::ExecRefresh+0x00000476 6a53bd3d mshtml!COmWindowProxy::ExecRefreshCallback+0x00000022 6a3c93c2 mshtml!GlobalWndOnMethodCall+0x000000ff 6a3be012 mshtml!GlobalWndProc+0x0000010c 764dc4e7 USER32!InternalCallWinProc+0x00000023 764dc5e7 USER32!UserCallWinProcCheckWow+0x0000014b 764dcc19 USER32!DispatchMessageWorker+0x0000035e 764dcc70 USER32!DispatchMessageW+0x0000000f

address 0b688f30 found in _DPH_HEAP_ROOT @ 181000

in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr 2000 VirtSize) VirtSize)

ce80104: b688f30 d0 - b688000 2000 mshtml!CMarkup::`vftable'

721f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77a65e26 ntdll!RtlDebugAllocateHeap+0x00000030 77a2a376 ntdll!RtlpAllocateHeap+0x000000c4 779f5ae0 ntdll!RtlAllocateHeap+0x0000023a

address 0b688f30 found in _DPH_HEAP_ROOT @ 181000

in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr ce80104: b688f30 d0 - b688000 mshtml!CMarkup::`vftable'

721f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77a65e26 ntdll!RtlDebugAllocateHeap+0x00000030 77a2a376 ntdll!RtlpAllocateHeap+0x000000c4 779f5ae0 ntdll!RtlAllocateHeap+0x0000023a

6e1f4bec IEFRAME!CTabWindow::_TabWindowThreadProc+0x0000054b 6e204f62 IEFRAME!LCIETab_ThreadProc+0x000002c1 768d5c2b iertutil!CIsoScope::RegisterThread+0x000000ab

2000 VirtSize) 765e3c45 kernel32!BaseThreadInitThunk+0x0000000e 77a037f5 ntdll!__RtlUserThreadStart+0x00000070 77a037c8 ntdll!_RtlUserThreadStart+0x0000001b

address 092baf30 found in _DPH_HEAP_ROOT @ 181000

in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) a132e38: 92baf30 d0 - 92ba000 2000 mshtml!CMarkup::`vftable'

721f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77a65e26 ntdll!RtlDebugAllocateHeap+0x00000030 77a2a376 ntdll!RtlpAllocateHeap+0x000000c4 779f5ae0 ntdll!RtlAllocateHeap+0x0000023a

6a321f3b mshtml!CDoc::CreateMarkupFromInfo+0x000000e2 6a32238d mshtml!CDoc::CreateMarkup+0x0000004a

6a308229 mshtml!CCommentElement::`scalar deleting destructor'+0x000002d3 6a2197c0 mshtml!CElement::removeNode+0x00000046

6a219873 mshtml!Method_IDispatchpp_oDoVARIANTBOOL+0x000000cc 6a41f10b mshtml!CBase::ContextInvokeEx+0x000005dc 6a42a6c6 mshtml!CElement::ContextInvokeEx+0x0000009d 6a42a706 mshtml!CInput::VersionedInvokeEx+0x0000002d 6a3cbc0e mshtml!PlainInvokeEx+0x000000eb 6bfea26e jscript!IDispatchExInvokeEx2+0x00000104 6bfea1b9 jscript!IDispatchExInvokeEx+0x0000006a 6bfea43a jscript!InvokeDispatchEx+0x00000098 6bfea4e4 jscript!VAR::InvokeByName+0x00000139 6bffd9a8 jscript!VAR::InvokeDispName+0x0000007d 6bffda4f jscript!VAR::InvokeByDispID+0x000000ce 6bffe4c7 jscript!CScriptRuntime::Run+0x00002b80

6bff5d7d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce 6bff5cdb jscript!ScrFncObj::Call+0x0000008d 6bff5ef1 jscript!CSession::Execute+0x0000015f 6bfef4c6 jscript!NameTbl::InvokeDef+0x000001b5 6bfeeb02 jscript!NameTbl::InvokeEx+0x0000012c

6a443b0e mshtml!CBase::InvokeDispatchWithThis+0x000001e1 6a443bba mshtml!CBase::InvokeEvent+0x00000214 6a3b3e41 mshtml!CBase::FireEvent+0x000000e1 6a3eddd5 mshtml!CElement::FireEvent+0x000003ce

6a4451af mshtml!CElement::Fire_onpropertychange+0x00000057 6a445139 mshtml!CElement::Fire_PropertyChangeHelper+0x0000011f 6a4450bb mshtml!CElement::OnPropertyChange+0x00000b7b

address 092baf30 found in _DPH_HEAP_ROOT @ 181000

in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) a132e38: 92baf30 d0 - 92ba000 2000 mshtml!CMarkup::`vftable'

721f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77a65e26 ntdll!RtlDebugAllocateHeap+0x00000030 77a2a376 ntdll!RtlpAllocateHeap+0x000000c4 779f5ae0 ntdll!RtlAllocateHeap+0x0000023a

6a321f3b mshtml!CDoc::CreateMarkupFromInfo+0x000000e2 6a32238d mshtml!CDoc::CreateMarkup+0x0000004a

6a308229 mshtml!CCommentElement::`scalar deleting destructor'+0x000002d3 6a2197c0 mshtml!CElement::removeNode+0x00000046

6a443b0e mshtml!CBase::InvokeDispatchWithThis+0x000001e1 6a443bba mshtml!CBase::InvokeEvent+0x00000214 6a3b3e41 mshtml!CBase::FireEvent+0x000000e1 6a3eddd5 mshtml!CElement::FireEvent+0x000003ce

6a4451af mshtml!CElement::Fire_onpropertychange+0x00000057 6a445139 mshtml!CElement::Fire_PropertyChangeHelper+0x0000011f 6a4450bb mshtml!CElement::OnPropertyChange+0x00000b7b

address 092baf30 found in _DPH_HEAP_ROOT @ 181000

in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) a132e38: 92ba000 2000 721f90b2 verifier!AVrfDebugPageHeapFree+0x000000c2

77a665f4 ntdll!RtlDebugFreeHeap+0x0000002f 77a2a0aa ntdll!RtlpFreeHeap+0x0000005d 779f65a6 ntdll!RtlFreeHeap+0x00000142 765dbbe4 kernel32!HeapFree+0x00000014

6a410c11 mshtml!CMarkup::`scalar deleting destructor'+0x00000022 6a3b1daf mshtml!CBase::SubRelease+0x00000022 6a3309a5 mshtml!CMarkup::ProcessPeerTask+0x00000047 6a42a5fa mshtml!CElement::VersionedGetDispID+0x00000052 6a41ca52 mshtml!PlainGetDispID+0x000000dc 6bfea348 jscript!IDispatchExGetDispID+0x000000a5 6bfea2b6 jscript!GetDex2DispID+0x00000031 6bfea4be jscript!VAR::InvokeByName+0x000000ee 6bffd9a8 jscript!VAR::InvokeDispName+0x0000007d 6bfe9c4e jscript!CScriptRuntime::Run+0x0000208d

6a443b0e mshtml!CBase::InvokeDispatchWithThis+0x000001e1 6a443bba mshtml!CBase::InvokeEvent+0x00000214 6a3b3e41 mshtml!CBase::FireEvent+0x000000e1 6a3eddd5 mshtml!CElement::FireEvent+0x000003ce

6a4451af mshtml!CElement::Fire_onpropertychange+0x00000057 6a445139 mshtml!CElement::Fire_PropertyChangeHelper+0x0000011f 6a4450bb mshtml!CElement::OnPropertyChange+0x00000b7b 6a433c07 mshtml!CBase::InvokeAA+0x0000022f 6a42c313 mshtml!CBase::ContextInvokeEx+0x00000147 6a42a6c6 mshtml!CElement::ContextInvokeEx+0x0000009d 6a42a706 mshtml!CInput::VersionedInvokeEx+0x0000002d 6a3cbc0e mshtml!PlainInvokeEx+0x000000eb

(334.a4c): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling. This exception may be expected and handled.

eax=092baf30 ebx=092baf30 ecx=52cd2fe6 edx=6a38f9f8 esi=092baf30 edi=0b65efc0 eip=6a3303af esp=0a9ecb9c ebp=0a9ecbc0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mshtml!CMarkup::IsConnectedToPrimaryMarkup+0x6:

6a3303af 8b465c mov eax,dword ptr [esi+5Ch] ds:0023:092baf8c=????????

从上面的对象在堆内存中的追踪来看，导致崩溃的原因是CMarkup对象释放后重用了。下面我们还原一下释放CMarkup对象的过程，验证一下。

崩溃之后的栈回溯信息，

问题就出在CStyleElement::OnPropertyChange这个函数里面。定位这个函数需要进行补丁对比，去微软官网下补丁文件KB2964358 https://technet.microsoft.com/library/security/ms14-021 找到相应的版本

给系统加上补丁，这个补丁修改了mshtml.dll文件

发现栈回溯中的函数CElement::OnCssChange被补丁文件修改了，具体如下。

仔细看补丁之前的CElement::OnCssChange，

函数主要的工作就是把CElement对象指针转换为CMarkUp对象指针，然后调用CMarkUp::OnCssChange函数 CElement::GetMarkupPtr就是获取CMarkUp对象指针用的。具体过程如图

再看CMarkup::OnCssChange这个函数，

就是 IsConnectedToPrimaryMarkup这个函数引发崩溃的

在确认一下对象释放的函数，

从堆上的记录来看，像是CMarkup对象自己析构导致的对象，具体流程还有仔细分析 address 092baf30 found in _DPH_HEAP_ROOT @ 181000

in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) a132e38: 92ba000 2000 721f90b2 verifier!AVrfDebugPageHeapFree+0x000000c2 77a665f4 ntdll!RtlDebugFreeHeap+0x0000002f 77a2a0aa ntdll!RtlpFreeHeap+0x0000005d 779f65a6 ntdll!RtlFreeHeap+0x00000142 765dbbe4 kernel32!HeapFree+0x00000014

6a410c11 mshtml!CMarkup::`scalar deleting destructor'+0x00000022 6a3b1daf mshtml!CBase::SubRelease+0x00000022 对象析构函数

然后我们对这个析构函数下断点，看一下析构函数的栈回溯，下面是CMarkup对象释放时候的栈回溯

我们再看一下页堆上对对象的记录情况

大概可以推测ProcessPeerTask和RecomputePeers函数是具有释放对象功能的

然后我们对ProcessPeerTask,RecomputePeers 这两个函数分别下断点，找一下具体释放对象的函数，

最后笔者发现是RecomputePeers的调用导致了对象的释放，然后紧接着发生了重用

笔者下的断点（断点位于RecomputePeers 函数结束为止），每次调用完RecomputePeers，显示一下堆中的对象情况

调试显示结果：

address 0d9d6fe8 found in _DPH_HEAP_ROOT @ 51000

in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) d697a5c: d9d6fe8 18 - d9d6000 2000 mshtml!CDoc::CAryUrlImgCtx::`vftable'

71f68e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77a65e26 ntdll!RtlDebugAllocateHeap+0x00000030 77a2a376 ntdll!RtlpAllocateHeap+0x000000c4 779f5ae0 ntdll!RtlAllocateHeap+0x0000023a

69192b6c mshtml!CMarkup::EnsureMarkupPeerTaskContext+0x0000003d 6919058a mshtml!CMarkup::EnqueuePeerTask+0x00000014 691909be mshtml!CMarkup::ProcessPeerTask+0x00000047

69190314 mshtml!CElement::OnCssChange+0x0000001e 691aabf6 mshtml!CStyleElement::SetText+0x000001e3 691aaa67 mshtml!CStyleElement::Notify+0x000000ed

691cd6d7 mshtml!CHtmRootParseCtx::SendEnterTreeNotification+0x00000047 691cd661 mshtml!CHtmRootParseCtx::FlushNotifications+0x0000015d 691ccc7d mshtml!CHtmRootParseCtx::Commit+0x0000000b 691cc36a mshtml!CHtmPost::Broadcast+0x0000000f 691cc9cd mshtml!CHtmPost::Exec+0x00000255 691ce945 mshtml!CHtmPost::Run+0x00000015 691ce8a9 mshtml!PostManExecute+0x000001fb 691ce80e mshtml!PostManResume+0x000000f7

691d2d3e mshtml!CHtmPost::OnDwnChanCallback+0x00000010 691cbf0e mshtml!CDwnChan::OnMethodCall+0x00000019 692293c2 mshtml!GlobalWndOnMethodCall+0x000000ff 6921e012 mshtml!GlobalWndProc+0x0000010c 764dc4e7 USER32!InternalCallWinProc+0x00000023 764dc5e7 USER32!UserCallWinProcCheckWow+0x0000014b 764dcc19 USER32!DispatchMessageWorker+0x0000035e 764dcc70 USER32!DispatchMessageW+0x0000000f

address 09027f30 found in _DPH_HEAP_ROOT @ 51000

in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 9591958: 9027000 2000 71f690b2 verifier!AVrfDebugPageHeapFree+0x000000c2 77a665f4 ntdll!RtlDebugFreeHeap+0x0000002f 77a2a0aa ntdll!RtlpFreeHeap+0x0000005d 779f65a6 ntdll!RtlFreeHeap+0x00000142 765dbbe4 kernel32!HeapFree+0x00000014

69270c11 mshtml!CMarkup::`scalar deleting destructor'+0x00000022 69211daf mshtml!CBase::SubRelease+0x00000022 691909a5 mshtml!CMarkup::ProcessPeerTask+0x00000047 6928a5fa mshtml!CElement::VersionedGetDispID+0x00000052 6927ca52 mshtml!PlainGetDispID+0x000000dc 6a79a348 jscript!IDispatchExGetDispID+0x000000a5 6a79a2b6 jscript!GetDex2DispID+0x00000031 6a79a4be jscript!VAR::InvokeByName+0x000000ee

发生了对象释放 // 6a7ad9a8 jscript!VAR::InvokeDispName+0x0000007d 6a799c4e jscript!CScriptRuntime::Run+0x0000208d

6a7a5d7d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce 6a7a5cdb jscript!ScrFncObj::Call+0x0000008d 6a7a5ef1 jscript!CSession::Execute+0x0000015f 6a79f4c6 jscript!NameTbl::InvokeDef+0x000001b5 6a79eb02 jscript!NameTbl::InvokeEx+0x0000012c

692a3b0e mshtml!CBase::InvokeDispatchWithThis+0x000001e1 692a3bba mshtml!CBase::InvokeEvent+0x00000214 69213e41 mshtml!CBase::FireEvent+0x000000e1 6924ddd5 mshtml!CElement::FireEvent+0x000003ce

692a51af mshtml!CElement::Fire_onpropertychange+0x00000057 692a5139 mshtml!CElement::Fire_PropertyChangeHelper+0x0000011f 692a50bb mshtml!CElement::OnPropertyChange+0x00000b7b 69293c07 mshtml!CBase::InvokeAA+0x0000022f 6928c313 mshtml!CBase::ContextInvokeEx+0x00000147 6928a6c6 mshtml!CElement::ContextInvokeEx+0x0000009d 6928a706 mshtml!CInput::VersionedInvokeEx+0x0000002d 6922bc0e mshtml!PlainInvokeEx+0x000000eb

(ec8.98c): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling. This exception may be expected and handled.

eax=09027f30 ebx=09027f30 ecx=23f71bc6 edx=691ef9f8 esi=09027f30 edi=0d71ffc0 eip=691903af esp=0a92ca5c ebp=0a92ca80 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mshtml!CMarkup::IsConnectedToPrimaryMarkup+0x6:

691903af 8b465c mov eax,dword ptr [esi+5Ch] ds:0023:09027f8c=????????

这样我们就定位到了对象释放的地方和崩溃的地方了。

================================================================================ 0x3 漏洞利用

找到释放的对象的大小，然后申请相同大小的内存占位，覆盖虚表，rop+ntdll信息泄露可以完成利用

0xFF 后记

流程有点乱。还望原谅。哪里写的不对，还请指教。

因篇幅问题不能全部显示，请点此查看更多更全内容

查看全文

全部栏目

cve-2014-1776分析