Skip to main content

Posts

Showing posts from July, 2013

IE9/10 information disclosure vulnerability

IE memory garbage collection ( Mark Sweep algorithm ) object address leak vulnerability
Information disclosure, Windows IE9/10
Description:
Since IE9, Javascript date uses 1 bit to mark *num* and *object* pointer. However, in most object structures, there are data field that does not use the bit to mark. IE Mark Sweep algorithm JSCRIPT9!Recycler::ProcessMark will mark the object in the structure. Because this is a general class, it cannot process correctly the num in the object structure that does not have the marked bit. Therefore, JSCRIPT9!Recycler::ProcessMark will wrongly think these num are object pointers and mark the wrong tag. This will cause some objects cannot be released correctly, and may also leak the object address to bypass ASLR. If the garbaby collection contains the code to *defrag* memory blocks, it might lead to potential more serious issues such as buffer overrun due to the incorrect operation of the object pointers (which should be a num). Details:

gc.html:



Poc creates …