1501H - MSIE 8 - F12 Developer Tools tooltips use-after-free

TL;DR: Full disclosure of low risk 0-day in MSIE 8 after 60-day deadline passed without a fix.


Open a new tab, and then open the Developer Tools by pressing F12, or selecting it from the "Tools" menu. Then select the "Scripts" tab in the Developer Tools window. Next hover the mouse over one of the buttons with the text "Start Debugging", "Run Script" and "Multi Line Mode"/"Single Line Mode". When a tooltip is shown, click the button.At this point, memory that was freed is accessed. When running MSIE with page heap enabled, you will see an access violation exception.


Because the attacker vector appears highly unlikely to represent a risk to any user, I did not bother to do an in-depth investigation. However, the use-after- free occurs in the same process in which the web-page is rendered. This suggests that there may be a way for the web-page to reallocate the freed memory before its reuse and potentially exploit this issue. However, it appears that the free and re-use occur in a very short time span, which would make that rather hard if not impossible.


I allow vendors 60 days to fix an issue, unless they can provide an adequate reason for extending this deadline. Failure to meet a deadline without an adequate explanation will normally result in public disclosure of information regarding the vulnerability to the general public.


23 January 2015: vulnerability discovered and reported to MSRC by email.
23 January 2015: email from MSRC acknowledges receipt of report.
25 March 2015: email to MSRC to notify them that deadline has been exceeded.
25 March 2015: Full disclosure of vulnerability details.


Old blog

I've created a new blog at http://skypher.com together with my brother. Effective immediately, I will stop posting here (not that I posted here much, but anyway) and post there (more often).
JK normal randomness will resume here.


Heap feng shui

I finally got arround to play with Alexander Sotirov's new heap tricks for attacking browsers. If you haven't read his paper, you can find it here:

In short: Alexander has reversed the way heap gets allocated and freed in IE and written some tools in JavaScript that allow you to control heap allocations. Where normal heap spraying is quick and dirty and gets the job done often enough, this gives you the control to make an exploit truely reliable. It does take a very deep understanding of the internals of process heaps and how vulnerabilities are actually exploited to understand how it works, which is good because script kiddies suck.


Exterminate - Mandelbrot Fractal Zoom Music Video

Five animated zooms into the Mandelbrot set, morphed into eachother and synchronized to music. By slowly increasing the number of iterations as we zoom in, we can see the fractal grow.

Watch it on YouTube

Technical details:
Max. iterations: 6000
Max. zoom: 6.2e+14
Frames: 2310 (320x240)
Time to design and create the complete animation: ~50 hrs.
Render time: ~2hrs.
Rendering software: Ultra Fractal 4.03
Video software: VisualDub 1.6.17
Music: Snap! - Exterminate
Full AVI size: 57.4Mb (download)


Ascii Art Mandelbrot Fractal Zoom

As part of my DHTML++ demo, I wrote an ASCII Art Mandebrot Fractal zoomer. Unfortunately, the current version is waaaay to slow to calculate the frames in real-time. Apparently they did not optimize JavaScript in Internet Explorer for rendering fractals in real time.

I am working on a much smarter algorithm, which only calculates the fractal once. I intend to use variable accuracy. This means I can get more detail around the area I zoom in to, so I do not need to recalculate the fractal for every frame. However, this is a bit more complex than it sounds, so don't hold your breath.

In the mean time, here's an example of what it will look like:

The quality is rather poor. If you want to download the original, it is 20Mb and available at:

DHTML++ Browser demo

I've been working on various bits and pieces for over a year now and I am still not nearly halfway. I figure I need a really decent amount of effects and a really decent source; I can't go about publishing just three nifty things with spaghetti code. This ofcourse means I will never finish it, so I might as well give away a few previews.

At http://skypher.com/SkyLined/DHTML++/ you can find all ideas for effects I've had so far. Some of them may appear almost as-is in the final demo and some are just "Proof of Concepts"; I plan to completely rewrite it because the code is unreadable and does not lend itself to integration with the rest.

I will update the site with newer versions from time to time. I will blog about any mayor updates or new effects when appropriate.


VBScript Functions for JavaScript

If you're used to languages like JavaScript, C and Java, then VBScript can be a pain to code. But VBScript does offer a number of useful features that JavaScript does not, such as MsgBox, InputBox and String. To make these easily available in JavaScript, I have created a script that creates an object that works as a wrapper for these functions in JavaScript. The object has a method for each VBScript function, which can be used to call these functions. This allows you to use them from JavaScript as if they were a normal part of JavaScript.

To use the script, download it from http://skypher.com/SkyLined/download/vbs.js/vbs.js, put it on your server and add this tag to you HTML file:
<SCRIPT src="vbs.js" type="text/javascript" language="JavaScript"></SCRIPT>

Any script that runs after this script will have access to an object called "vbs", which has a number of properties and methods that can be used to access VBScript features.

Properties: (See MsgBox function documentation at MSDN)
vbOKOnly, vbOKCancel, vbAbortRetryIgnore, vbYesNoCancel, vbYesNo, vbRetryCancel, vbCritical, vbQuestion, vbExclamation, vbInformation, vbDefaultButton1, vbDefaultButton2, vbDefaultButton3, vbDefaultButton4, vbApplicationModal, vbSystemModal

Methods: (see VBScript functions reference at MSDN)
Abs, Array, Asc, Atn, CBool, CByte, CCur, CDate, CDbl, Chr, CInt, CLng, Cos, CreateObject, CSng, CStr, Date, DateAdd, DateDiff, DatePart, DateSerial, DateValue, Day, Escape, Eval, Exp, Filter, Fix, FormatCurrency, FormatDatTime, FormatNumber, FormatPercent, GetLocale, GetObject, GetRef, Hex, Hour, InputBox, InStr, InStrRev, Int, IsArray, IsDate, IsEmpty, IsNull, IsNumeric, IsObject, Join, LBound, LCase, Left, Len, LoadPicture, Log, LTrim, Mid, Minute, Month, MonthName, MsgBox, Now, Oct, Replace, RGB, Right, Rnd, Round, RTrim, ScriptEngine, ScriptEngineBuildVersion, ScriptEngineMajorVersion, ScriptEngineMinorVersion, Second, SetLocale, Sgn, Sin, Space, Split, Sqr, StrComp, String, StrReverse, Tan, Time, Timer, TimeSerial, TimeValue, Trim, TypeName, UBound, UCase, Unescape, VarType, Weekday, WeekDayName, Year

vbs.MsgBox("Hello, world!", vbs.vbOKOnly | vbs.vbInformation, "JavaScript");

JavaScript Shell v4.2beta

Topic moved to http://skypher.com.