Monday 22 June 2015

Browsing stackoverflow for interesting crashes - Microsoft Internet Explorer 11

Here is a nice example why it is worth to browse stackoverflow.com for crash reports. Recently i stumbled upon this post:
http://stackoverflow.com/questions/28114732/internet-explorer-11-crashes-when-angulars-http-post-is-used-with-large-complex

I checked it out and as for today (22 Jun 2015) it crashes the latest Internet Explorer 11. The crash log looks interesting:
The proof of concept from the post is huge so i decided to downsize it a bit and here it is:
Certainly more readable. As usual maybe someone will find it useful.

From one of the comments in the stackoverflow discussion, we can see that Microsoft is already looking into it (23 Jan 2015).

Update:

The bug was patched in the July 2015 MS Bulletin (probably this one MS15-065 - CVE-2015-2419)

Update #2:

Great in-depth analysis of the bug by the guys from Checkpoint: http://blog.checkpoint.com/2016/02/10/too-much-freedom-is-dangerous-understanding-ie-11-cve-2015-2419-exploitation/

1 comment:

  1. Also from WinDbg:
    jscript9!Js::TempArenaAllocatorWrapper<1>::Dispose:
    63781300 8bff mov edi,edi
    63781302 56 push esi
    63781303 8bf1 mov esi,ecx
    63781305 8d4e04 lea ecx,[esi+4]
    63781308 e8684fe5ff call jscript9!ArenaAllocatorBase::Clear (635d6275)
    6378130d 8b5634 mov edx,dword ptr [esi+34h]
    63781310 83ea08 sub edx,8
    63781313 52 push edx
    63781314 8b4a04 mov ecx,dword ptr [edx+4]
    63781317 8b02 mov eax,dword ptr [edx]
    63781319 8901 mov dword ptr [ecx],eax
    6378131b 8b0a mov ecx,dword ptr [edx]
    6378131d 8b4204 mov eax,dword ptr [edx+4]
    63781320 894104 mov dword ptr [ecx+4],eax
    63781323 ff1540619a63 call dword ptr [jscript9!_imp__free (639a6140)]
    63781329 59 pop ecx
    6378132a 5e pop esi
    6378132b c20400 ret 4
    Notice the write to the address obtained.

    ReplyDelete