Multi-browser heap address leak in XSLT

It’s not often that I find a bug that affects multiple different codebases in the same way, but here is an interesting info-leak bug that is currently unpatched in Firefox, Internet Explorer and Safari.I’m releasing it now for a few reasons:The bug was…

It's not often that I find a bug that affects multiple different codebases in the same way, but here is an interesting info-leak bug that is currently unpatched in Firefox, Internet Explorer and Safari.

I'm releasing it now for a few reasons:
  1. The bug was already publicly noted here.

  2. This bug cannot damage anyone in and of itself; it's a low severity info-leak that does not corrupt anything. It needs to be paired with other bugs, perhaps as an exploit aid against ASLR.

  3. This is a rare and unique opportunity to directly compare vendor responses and response times for a near-identical bug. It's nice that this is a lower-severity issue as all vendors tend to treat critical issues with at least some urgency; lower severity issues serve as a better differentiator.

The bug
The bug is in the generate-id() XPath function, and is sometimes used in XSL transforms. Here's an web page that simply calls generate-id() and renders the result as a web page:

https://cevans-app.appspot.com/static/genid.xml

Let's see how this renders in different browsers:

Firefox (64-bit Linux)
id0x00007fbac51c1000

There is no "obfuscation" that this is a raw heap address. Since Firefox is open source, we can go and look at the source code to find that indeed, the string is generated from a pointer (txXPathNodeUtils::getXSLTId):
const char gPrintfFmt[] = "id0x%016p";

Internet Explorer 8 (Windows 7)
IDAW0MLB

Doesn't look like a heap address, does it? If, however, you strip off the "ID" prefix and treat the string as a [A-Z0-5] base32 encoded "little endian" string, you resolve to a nice heap address. At that address is a pointer in msxml.dll, possibly the address of a vtable for some internal xml node class.

Safari 5 (Mac OS X)
id35865226

Also does not immediately look like a heap address, but libxslt is doing a simple transform on a heap address:

val = (unsigned long)((char *)cur - (char *)0);
val /= sizeof(xmlNode);
sprintf((char *)str, "id%ld", val);

Opera
o14022440
o2148150600
These object ids bounce around all over the place. I don't know what is going on so I'm not making the claim that Opera is affected.

Chrome
Latest stable Chrome (Chrome 10) is not affected. It has been removed from the "time to fix" competition in order to keep things fair.


It's on!! Who will fix it first and who will be the security laggard? Updates to be provided via Twitter: @scarybeasts

Busy Chrome day…

I did a bunch of fairly interesting things with my corporate hat on today (not to be confused with any of my personal research 😉

Firstly, Chrome 10 went out with a record $16k+ series of rewards. It’s continually humbling to see such a wide range of researchers and a wide range of bug categories!

http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html

Also, there are some nice new security pieces in Chrome 10. I blogged about some of these:

http://blog.chromium.org/2011/03/mini-newsletter-from-your-google-chrome.html

My personal favourite is “plug-in blocking enhancements”, probably because I implemented it and am therefore biased 🙂 In reality, the change that’s going to really help end user security is “out-of-date plug-in warnings”. Users are encouraged to update to the latest security patches for their plug-ins. I personally believe this will be particularly helpful for Java, which is widely installed but users are not always the most uptodate.

And then I spoke at SANS AppSec with Adam Mein about Google’s two vulnerability reward programs (Chromium and Web). This seemed to be very well received, as evidenced by the stack of insightful questions. We released a few new stats and charts, so it’s probably worth me linking to the slides:

https://docs.google.com/present/edit?id=0Ae_usSLlqH60ZGZnYjI0NTVfMjBobngybWRoaA&hl=en

All in all a fun day!

I did a bunch of fairly interesting things with my corporate hat on today (not to be confused with any of my personal research ;-)

Firstly, Chrome 10 went out with a record $16k+ series of rewards. It's continually humbling to see such a wide range of researchers and a wide range of bug categories!

http://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html

Also, there are some nice new security pieces in Chrome 10. I blogged about some of these:

http://blog.chromium.org/2011/03/mini-newsletter-from-your-google-chrome.html

My personal favourite is "plug-in blocking enhancements", probably because I implemented it and am therefore biased :-) In reality, the change that's going to really help end user security is "out-of-date plug-in warnings". Users are encouraged to update to the latest security patches for their plug-ins. I personally believe this will be particularly helpful for Java, which is widely installed but users are not always the most uptodate.

And then I spoke at SANS AppSec with Adam Mein about Google's two vulnerability reward programs (Chromium and Web). This seemed to be very well received, as evidenced by the stack of insightful questions. We released a few new stats and charts, so it's probably worth me linking to the slides:

https://docs.google.com/present/edit?id=0Ae_usSLlqH60ZGZnYjI0NTVfMjBobngybWRoaA&hl=en

All in all a fun day!

TA11-067A: Microsoft Updates for Multiple Vulnerabilities

Original release date: March 08, 2011
Last revised: —
Source: US-CERT

Systems Affected
Microsoft WindowsMicrosoft Office

Overview
There are multiple vulnerabilities in Microsoft Windows and Microsoft Office.
Microsoft has released updates…

Original release date: March 08, 2011
Last revised: --
Source: US-CERT

Systems Affected

  • Microsoft Windows
  • Microsoft Office

Overview

There are multiple vulnerabilities in Microsoft Windows and Microsoft Office. Microsoft has released updates to address these vulnerabilities.


I. Description

The Microsoft Security Bulletin Summary for March 2011 describes multiple vulnerabilities in Microsoft Windows and Microsoft Office. Microsoft has released updates to address the vulnerabilities.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.


III. Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2011. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).


IV. References



Feedback can be directed to US-CERT.


Produced 2011 by US-CERT, a government organization. Terms of use


Revision History

March 08, 2011: Initial release

Microsoft Patch Tuesday – March 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is a quiet month —the vendor is releasing three bulletins covering a total of four vulnerabilities. Only one of the issues is rated ‘Critical’ and it af…

Hello and welcome to this month’s blog on the Microsoft patch release. This is a quiet month —the vendor is releasing three bulletins covering a total of four vulnerabilities. Only one of the issues is rated ‘Critical’ and it affects Media Player and Media Center. The remaining issues, affecting DirectShow, Groove, and Remote Desktop Client, are rated ‘Important’, and are all due to how the applications load Dynamic Linked Library (DLL) files. As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the March releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-mar.mspx

The following is a breakdown of the issues being addressed this month:

1. MS11-015 Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)

CVE-2011-0032 (BID 46682) Microsoft DirectShow DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A remote code-execution vulnerability affects DirectShow due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.wtv’, ‘.drv-ms’, or ‘.mpg’ file from a remote network share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, and Windows Media Center TV Pack for Windows Vista 32-bit and 64-bit editions

CVE-2011-0042 (BID 46680) Microsoft Windows Media Player/Windows Media Center '.dvr-ms' File Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Media Player and Media Center due to how they handle ‘DVR-MS’ files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Windows XP Media Center Edition 2005 SP3, Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, and Windows Media Center TV Pack for Windows Vista 32-bit and 64-bit editions

2. MS11-016 Microsoft Groove 2007 'mso.dll' DLL Loading Arbitrary Code Execution Vulnerability (2494047)

CVE-2010-3146 (BID 42695) Microsoft Groove Insecure Library Loading Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A previously public (Aug. 25, 2010) remote code-execution vulnerability affects Groove due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.vcg’ or ‘.gta’ file from a remote network share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Office Groove 2007 SP2

3. MS11-017 Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)

CVE-2011-0029 (BID 46678) Microsoft Remote Desktop Connection Client DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A remote code-execution vulnerability affects Remote Desktop Client due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.rdp’ file from a remote network share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Remote Desktop Connection 5.2, 6.0, 6.1, and 7.0

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.