Visit the address. To enhance the user experience, I added <?php phpinfo(); ?> to the uploaded images. It's obvious that the image type we uploaded has become the one we want. The code was also executed successfully. Finally, I searched online for others' code audits http://cn-sec.com/archives/311436.html and found that their directories were different from mine, which was a pleasant surprise.
Website hacking, penetration testing, hijacking, data extraction, SDK, DPI, MD5
Hacker services/hacking business/exam score modification/order modification/reverse engineering/cheat software/penetration
Website hacking, penetration testing, hijacking, data extraction, SDK, DPI, MD5
Hacker services/hacking business/exam score modification/order modification/reverse engineering/cheat software/penetration
The vulnerability occurs in the AddPrinterDriverEx function, which has three parameters. The third parameter is a flag with a special value that is not mentioned in the official documentation: APD_INSTALL_WARNED_DRIVER = 0x00008000. According to the code logic in Figure 1, before calling InternalAddPrinterDriverEx, the 0xf bit of the flag is checked by bittest. If the value is 1, the value of v12 will still be 0, allowing you to bypass the Access check in line 24 and successfully call InternalAddPrinterDriverEx.
The file upload mainly focuses on filtering. The up_img() function is used to process the submitted content, and the array records the type to be verified. Therefore, we need to understand the up_img() function in detail next.
Locate the up_img() function and analyze this code. The key point is to verify the value of type. After obtaining the information of the uploaded file with the pathinfo() function, it is assigned to pic_name. file_type obtains the type value in the uploaded file and the value after Content-Type in the data package. The strtolower() function converts all characters in file_type to lowercase and compares them with the type values in the array. The in_array() function searches whether there is a value equal to file_type in the array. If it exists, the file is uploaded. Since only the Content-Type value is verified, it can be determined that there is a vulnerability here.
Locate the up_img() function and analyze this code. The key point is to verify the value of type. After obtaining the information of the uploaded file with the pathinfo() function, it is assigned to pic_name. file_type obtains the type value in the uploaded file and the value after Content-Type in the data package. The strtolower() function converts all characters in file_type to lowercase and compares them with the type values in the array. The in_array() function searches whether there is a value equal to file_type in the array. If it exists, the file is uploaded. Since only the Content-Type value is verified, it can be determined that there is a vulnerability here.
As can be seen from the allocation, release, and caching process of the UAF object, if the relevant function is called to release the RenderWidgetHostViewAura object when there are still redraw tasks in the queue, the cached RenderWidgetHostViewAura pointer will be dereferenced when the Refresh function is called next time. However, the object has already been released, so a UAF will be triggered.
To avoid caching the RenderWidgetHostView when creating the CurrentTabDesktopMediaList, the object can be obtained through content::RenderFrameHost::FromID and content::RenderWidgetHostView when it is needed. When the view object is released, an empty pointer is returned, thus avoiding a UAF. The code is as follows:
To avoid caching the RenderWidgetHostView when creating the CurrentTabDesktopMediaList, the object can be obtained through content::RenderFrameHost::FromID and content::RenderWidgetHostView when it is needed. When the view object is released, an empty pointer is returned, thus avoiding a UAF. The code is as follows:
After the MediaList is created in the ProcessQueuedAccessRequest function, the show function is called to display the authorization pop-up window, as shown below:
In the StartUpdating function, the refresh_callback_ member variable is bound to the DesktopMediaListBase::ScheduleNextRefresh function, and then the refresh function is called, which is as follows:
In the Refresh function, the reply is bound to the OncaptureHandled function and then passed as a parameter to the CopyFromSurface function. Therefore, the OnCaptureHandled function will call the OnRefreshComplete function to return the result. In the OnRefreshComplete function, the OnRefreshComplete function will call the OnRefreshComplete function, and finally the refresh_callback_ will call the DesktopMediaListBase::ScheduleNextRefresh function, as shown below:
In the ScheduleNextRefresh function, the refresh_callback_ member variable is bound to itself again, and then a delayed task is released to call the Refresh function, forming a loop that constantly refreshes the window:
In the StartUpdating function, the refresh_callback_ member variable is bound to the DesktopMediaListBase::ScheduleNextRefresh function, and then the refresh function is called, which is as follows:
In the Refresh function, the reply is bound to the OncaptureHandled function and then passed as a parameter to the CopyFromSurface function. Therefore, the OnCaptureHandled function will call the OnRefreshComplete function to return the result. In the OnRefreshComplete function, the OnRefreshComplete function will call the OnRefreshComplete function, and finally the refresh_callback_ will call the DesktopMediaListBase::ScheduleNextRefresh function, as shown below:
In the ScheduleNextRefresh function, the refresh_callback_ member variable is bound to itself again, and then a delayed task is released to call the Refresh function, forming a loop that constantly refreshes the window:
After the POC calls the windows.close() function, the tab is closed, and a series of objects are released, including the previously allocated RenderFrameHostManager object. The message to close the window, after being distributed by the relevant Mojo components, calls the content::WebContentsImpl::Close function, as shown below:
CloseWebContents attempts to call fast shutdown to close the relevant tabs:
Through the above call chain, the window_ object is deleted.
CloseWebContents attempts to call fast shutdown to close the relevant tabs:
Through the above call chain, the window_ object is deleted.
After the browser receives the request, a RenderView is created by content::RenderFrameHostManager::InitRenderView, and a RenderWidget is created within the RenderView as follows:
This function calls a function in the web_contents_impl class to create a RenderView:
Finally, the web_contents_view_aura class is called to create a RenderWidgetHostViewAura object.
At this point, a RenderWidgetHostViewAura object is created. In the initialization function of the RenderWidgetHostViewAura, relevant functions are called to set the view_ variable to itself, as shown below:
The above code calls the SetView function of the RenderWidgetHostImpl class to set the view_ member variable to the passed-in this pointer:
In the POC code, a request is made to share the content of the current screen, which requires user authorization. The authorization process is as follows:
This function calls a function in the web_contents_impl class to create a RenderView:
Finally, the web_contents_view_aura class is called to create a RenderWidgetHostViewAura object.
At this point, a RenderWidgetHostViewAura object is created. In the initialization function of the RenderWidgetHostViewAura, relevant functions are called to set the view_ variable to itself, as shown below:
The above code calls the SetView function of the RenderWidgetHostImpl class to set the view_ member variable to the passed-in this pointer:
In the POC code, a request is made to share the content of the current screen, which requires user authorization. The authorization process is as follows:
Due to the fact that the main functions of Chrome are implemented in the chrome.dll file, and this DLL has not been loaded at this time, use the sxe ld chrome command to tell Windbg to interrupt after the chrome.dll file is loaded. Enter g to run the program and wait for the program to be interrupted. Use the lm command to confirm whether the chrome.dll file has been loaded:
After the chrome.dll file is loaded, you can use the .reload /f chrome.dll command to load the symbols of the chrome.dll file, as shown in the following figure:
The warnings that appear below can be ignored. After the symbols are loaded, you can perform source-level debugging, as follows:
After the chrome.dll file is loaded, you can use the .reload /f chrome.dll command to load the symbols of the chrome.dll file, as shown in the following figure:
The warnings that appear below can be ignored. After the symbols are loaded, you can perform source-level debugging, as follows:
Chromium issue 1187403 describes a UAF vulnerability. The PoC is as follows:
This code attempts to share the content of the current page. In the Chrome browser, a pop-up window will appear asking the user for authorization, as shown below:
When the window is closed, if the redraw task of the window is still in the task queue, the task will be scheduled normally. However, there is a pointer cache of the window in the relevant class, and the pointer will be dereferenced, resulting in a UAF.
This code attempts to share the content of the current page. In the Chrome browser, a pop-up window will appear asking the user for authorization, as shown below:
When the window is closed, if the redraw task of the window is still in the task queue, the task will be scheduled normally. However, there is a pointer cache of the window in the relevant class, and the pointer will be dereferenced, resulting in a UAF.