Thursday, 29 May 2014

Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero

Recently i was playing wit the WeakMap implementation in IE11. The following code caused the browser crash:


(1c58.20c0): Integer divide-by-zero - code c0000094 (!!! second chance !!!)
eax=00aee241 ebx=059f8cc0 ecx=059f8cc8 edx=00000000 esi=059f8cc8 edi=05171aa0
eip=668756f0 esp=06a6bcbc ebp=06a6bccc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
jscript9!JsUtil::WeaklyReferencedKeyDictionary,1>::TryGetValueAndRemove+0x1f:
668756f0 f736            div     eax,dword ptr [esi]  ds:002b:059f8cc8=00000000
0:020> k
ChildEBP RetAddr 
06a6bccc 66874949 jscript9!JsUtil::WeaklyReferencedKeyDictionary,1>::TryGetValueAndRemove+0x1f
06a6bcec 668a28ca jscript9!Js::JavascriptWeakMapData::Delete+0x2c
06a6bd10 66537530 jscript9!Js::JavascriptWeakMap::EntryDelete+0xc5
06a6c058 66537028 jscript9!Js::InterpreterStackFrame::Process+0x1e3c
06a6c174 06550fe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1e8
WARNING: Frame IP not in any known module. Following frames may be wrong.
06a6c180 665319eb 0x6550fe9
06a6c1c0 66532032 jscript9!Js::JavascriptFunction::CallFunction<1>+0x88
06a6c22c 66531f84 jscript9!Js::JavascriptFunction::CallRootFunction+0x93
06a6c274 66531f0b jscript9!ScriptSite::CallRootFunction+0x42
06a6c298 66592bce jscript9!ScriptSite::Execute+0x6c
06a6c320 6660da36 jscript9!ScriptEngine::ExecutePendingScripts+0x1ab
06a6c3a8 6660eeb8 jscript9!ScriptEngine::ParseScriptTextCore+0x29c
06a6c3f8 56866ba5 jscript9!ScriptEngine::ParseScriptText+0x5a
06a6c430 56866ce1 MSHTML!CActiveScriptHolder::ParseScriptText+0x42
06a6c480 565ea155 MSHTML!CJScript9Holder::ParseScriptText+0x6d
06a6c4e8 56867fa3 MSHTML!CScriptCollection::ParseScriptText+0x155
06a6c5d4 56867bf3 MSHTML!CScriptData::CommitCode+0x2d0
06a6c64c 568679db MSHTML!CScriptData::Execute+0x1fe
06a6c660 5655ed1b MSHTML!CHtmScriptParseCtx::Execute+0x8b
06a6c6d8 56518d27 MSHTML!CHtmParseBase::Execute+0x135
06a6c7fc 565efece MSHTML!CHtmPost::Exec+0x474
06a6c814 565efe52 MSHTML!CHtmPost::Run+0x1c
06a6c834 565f11a2 MSHTML!PostManExecute+0x61
06a6c848 565f1103 MSHTML!PostManResume+0x7b
06a6c878 565e152f MSHTML!CHtmPost::OnDwnChanCallback+0x38
06a6c888 56499bb4 MSHTML!CDwnChan::OnMethodCall+0x19
06a6c8cc 56481c3a MSHTML!GlobalWndOnMethodCall+0x12c
06a6c918 74e562fa MSHTML!GlobalWndProc+0x115
06a6c944 74e56d3a user32!InternalCallWinProc+0x23
06a6c9bc 74e577c4 user32!UserCallWinProcCheckWow+0x109
06a6ca1c 74e5788a user32!DispatchMessageWorker+0x3bc
06a6ca2c 574dbe78 user32!DispatchMessageW+0xf
06a6fbec 5753358f IEFRAME!CTabWindow::_TabWindowThreadProc+0x445
06a6fca4 75f01b7c IEFRAME!LCIETab_ThreadProc+0x31c
06a6fcb4 695431cc iertutil!CIsoScope::_InitManagerEntanglementLock+0x53
06a6fce0 75cb338a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x71
06a6fcec 773e9f72 kernel32!BaseThreadInitThunk+0xe
06a6fd2c 773e9f45 ntdll!__RtlUserThreadStart+0x70
06a6fd44 00000000 ntdll!_RtlUserThreadStart+0x1b


It is caused by a division by zero, so the bug is not exploitable, only a simple DoS.

Monday, 19 May 2014

CVE-2014-3788 and MS14-028

Zero Day Initiative (ZDI) has published another advisory for a heap buffer overflow vulnerability in Cogent DataHub webserver that i found. The bug occured when passing a negative value in the Content-Length header. The original advisory can be read here ZDI-14-135.

Recently i also have been acknowledged by Microsoft for responsible disclosure (through SSD) of two denial of service vulnerabilities affecting the iSCSI Target (CVE-2014-0255 and CVE-2014-0256). MS Bulletin can be found here MS14-028.