On November’s Microsoft Patch Tuesday, Microsoft patched multiple security vulnerabilities in Edge browser. At the beginning of January, a security research published POC code on github which exploit CVE-2016-7200 and CVE-2016-7201. Not long after the POC code, these 2 vulnerabilities become actively being exploited by multiple exploit kits. This blog is about the analysis of root cause of CVE-2016-7200 and attackers’ exploit.
CVE-2016-7200 Information Leaking Vulnerability
Var is defined as a void pointer in Chakra, so it can point to anything.
typedef void * Var;
return [h, h]
Attackers Get the Memory Address of an Array — So What?
Address space layout randomization (ASLR) technology allows Edge browsers to load the stack, heap and libraries into different memory address every time the process is started. This is to stop the attackers from overwriting the RIP/EIP to execute the attacker’s shellcode — they can’t find a reliable address to overwrite.
After knowing the memory address of an array, offset 0x0 of this array points to the “vftable” which is list of functions all the arrays point to. The weak part of ASLR technology is that it can’t change the offsets within a randomly loaded library, as you can see below:
The distance between “vftable” and the module Chakra’s base address is 0x274C40. So you know the module’s base address (00007ffa`99db0000) after you know the address of an array. So attackers finally know where to write to take control of EIP/RIP. The code is as below:
var retPtr = chakraBase.add(0x162A1D);
Although information leaking vulnerabilities don’t sound as serious as remote code execution, this type of vulnerabilities plays an important role in the whole attacker’s exploit chain to finally execute shell code. CVE-2016-7200 is being actively exploited in the wild. Qualys has released a QID 91300 to detect the vulnerability. We highly recommend that customers scan their environment for this QID to identify these assets remotely.