MS14-056, CVE-2014-4138

Time-line

8 May 2014: This vulnerability was submitted to ZDI.
9 June 2014: This vulnerability was acquired by ZDI.
23 June 2014: This vulnerability was disclosed to Microsoft by ZDI.
14 October 2014: This vulnerability was address by Microsoft in MS14-056.
21 December 2016: Details of this vulnerability are released.

越界访问漏洞
版本：Microsoft Internet Explorer 11.0.9600.16521

概述

图片被粘贴到IE11中，会把BMP格式转换成PNG格式，MSHTML!CPasteCommand::ConvertBitmaptoPng函数执行这个操作。
这个函数使用BMP图片的大小来储存转换好的PNG图片，如果转换后的PNG大于BMP则会发生溢出

CPasteCommand::ConvertBitmaptoPng 伪代码

  函数原型
    ConvertBitmaptoPng(
      [IN] VOID* poBitmap, 
      UINT uBitmapSize,
      [OUT] VOID** ppoPngImage, 
      UINT* puPngImageSize
    ) 
    
    {
      // BMP到PNG的转换
      CMemStm* poCMemStm;
      IWICStream* poWicBitmap;
      STATSTG oStatStg;
      TSmartArray<unsigned char> poPngImage;
      UINT uReadSize;
      // Create a CMemStm for the PNG image.
      CreateStreamOnHGlobal(NULL, True, poCMemStm);
      // Create an IWICStream from the BMP image.
      InitializeFromMemory(poBitMap, uBitmapSize,
          &GUID_ContainerFormatBmp, &poWicBitmap)));
      // Write BMP image in IWICStream to PNG image in CMemStm
      WriteWicBitmapToStream(poWicBitmap, &GUID_ContainerFormatPng, poCMemStm);
      // Get size of PNG image in CMemStm and save it to the output variable.
      oCMemStm->Stat(&oStatStg, 0);
      *puPngImageSize = oStatStg.cbSize.LowPart;
      // Allocate memory for the PNG
      //这一句产生问题，使用了BMP的大小给PNG分配内存
      poPngImage->New(uBitmapSize);
      // Go to start of PNG image in CMemStm
      poCMemStm->Seek(0, STREAM_SEEK_SET, NULL, &pPositionLow);
      // Read PNG image in CMemStm to allocated memory.
      //这一句读入PNG的内容，导致溢出
      poCMemStm->Read(poPngImage, *puPngImageSize, &uReadSize);
      // Save location of allocated memory with PNG image to output variable.
      *ppoPngImage = poPngImage;
    }

POC

只有用js实现图片复制的脚本，图片本身需要另外生成

这个洞因为没有完整的POC所以我没有调，但是其实作者在概述里已经说的很清楚了，这个洞的成因比较有意思放在这里开阔一下思路。