Microsoft Edge edgehtml CAttr­Array::Destroy use-after-free details

[Berend-Jan Wever <berendj () nwever nl>]

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
eleventh entry in that series. Unfortunately I won't be able to publish
everything within one month at the current rate, so I may continue to
publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161115001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Microsoft Edge edgehtml CAttrArray::Destroy use-after-free
==========================================================
(This fix and CVE number for this issue are not known)

Synopsis
--------
A specially crafted web-page can cause Microsoft Edge to free memory
used for a `CAttrArray` object. The code continues to use the data in
freed memory block immediately after freeing it. It does not appear that
there is enough time between the free and reuse to exploit this issue.

Known affected software and attack vectors
------------------------------------------
* Microsoft Edge 11.0.10240.16384
  An attacker would need to get a target user to open a specially
  crafted web-page. JavaScript is not necessarily required to trigger
  the issue.

Description
-----------
When an element is created and style properties are added, these are
stored in a `CAttrArray` object. A new `CAttrArray` is able to store up
to 8 properties. If more properties need to be stored, the code will
allocate memory for a larger `CAttrArray` and copy the existing
properties into this new object before freeing the old memory. The code
will then continue to use the freed memory almost immediately. In the
first repro, the "font" style property is the ninth property and
triggers this issue. In the second repro, the only property of a
`CAttrArray` is removed, at which point it is freed but no new object
is allocated. However, the code follows the same path and also reuses
the freed memory.

Exploit
-------
What little investigation I did appears to indicate that there is no way
to reallocate the freed memory before its reuse. It is therefore
probably not possible to exploit this issue that way. I did not
investigate how the freed memory is used by the code exactly, and I did
not look into other methods to exploit the issue. I did create a second
repro that triggers the issue "on-demand" from Javascript but, as is to
be expected, no Javascript is executed between the free and the re-use.

Time-line
---------
* September 2015: This vulnerability was found through fuzzing.
* September 2015: This vulnerability was submitted to ZDI.
* September 2015: This vulnerability was rejected by ZDI.
* November 2016: The issue no longer reproduces in Microsoft Edge.
* November 2016: Details of this issue are released.

Cheers,

SkyLined

Attachment: 0x2557C5AA.asc
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/