Bugtraq mailing list archives
Code to mitigate IE event zero-day (CVE-2010-0249)
From: ds.adv.pub () gmail com
Date: Sun, 17 Jan 2010 23:35:03 -0600
Here's a mitigation for the CVE-2010-0249 IE createEventObject srcElement zero-day. Quite simply, it just disables the createEventObject method by mangling its name in memory. If anyone knows an important web application that uses createEventObject, *please* respond to the mailing list. Use this code at your own risk. It could contain mistakes, cause problems with other software, and fail to protect your computer. I've done some very basic testing on the following configurations: * Windows 2000 SP4, IE6 SP1 * Windows XP (x86) SP3, IE 6 SP3 * Windows XP (x86) SP3, IE 7 * Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit) * Windows XP x64 SP1, IE 7 (32-bit and 64-bit) * Windows XP x64 SP2, IE 7 (32-bit and 64-bit) * Windows XP x64 SP2, IE 8 (32-bit and 64-bit) * Windows Vista (x86) SP2, IE 7 * Windows Vista (x86) SP2, IE 8 So far, I haven't been able to bypass the mitigation. I've tried 'for (var n in document)' to discover the mangled method name (doesn't enumerate it), I've tried 'document.x' in case the invalid surrogate characters are ignored (doesn't work), and I've tried 'eval("document.x\ud...")' and 'eval(unescape("document.x%ud..."))' (IE gives an "Invalid character" error). So do your worst. To test the mitigation, you can use this pared-down proof-of-concept: [body onload="for(var i=0; i!=10000; i++) ev.srcElement"] [img src=. onerror="ev=createEventObject(event); outerHTML++"] (Of course, replace [ and ] with < and > above. The 'for' loop is just a kludge to make it more likely to crash.) If you're interested in researching the vulnerability (using this PoC), breakpoint MSHTML!CImgElement::CImgElement, then run until MSHTML!CTreeNode::CTreeNode is hit -- this tree node is freed during MSHTML!CImgHelper::Fire_onerror, but is later accessed during MSHTML!CEventObj::get_srcElement. -- Derek
Attachment:
ieceo1.cpp.txt
Description:
Current thread:
- Code to mitigate IE event zero-day (CVE-2010-0249) ds . adv . pub (Jan 18)