MS IS Stylesheet Memory Corruption (Aug 7, 2009)
Microsoft Internet Explorer browser provides web developers with the ability to dynamically modify, and style, a web page via the Document Object Model (DOM) and Cascading Style Sheets (CSS). The Document Object Model is a cross-platform and language-independent convention used for representing and interacting with objects in HTML, XHTML and XML documents. The browser supports both the Javascript and JScript scripting languages. JScript can be used to access and modify a web page’s underlying DOM structure. The appearance of a page is mainly manipulated by the use of CSS. This technology is used to define the aesthetic aspects of a web page such as fonts, colors and spacing.
Styles are defined and stored either inline or within external style sheets. The following example code snippet illustrates the use of an inline style definition:
p { color: red; }
In the above example, a single rule is defined for the paragraph HTML element. Internet Explorer is instructed to style all text within the p tag with the color red. JScript is capable of accessing the stylesheets within a web page using the DOM property document.styleSheets. This property is a collection of styleSheet objects, which can contain zero or more CSS rules. The property can be used to delete or modify existing CSS rules. An example of its usage is shown:
var testStyle = document.styleSheets[3].rules[0].style;
This above code creates a reference to a CSS rule which contains methods and attributes related to the style object. This reference can then be used to modify the style definition for the associated CSS rule. Internet Explorer exposes an additional styleSheet property, cssText, which can be used to set or retrieve the text representation of the CSS rules. An example of the usage of this property is shown:
document.styleSheets[1].cssText = "p { color: green; }";
A memory corruption vulnerability exists in Microsoft Internet Explorer. It is created by a design error in the way the browser accesses an object that has been deleted. When a cssText property of a styleSheet is assigned a new value, as shown in the last example code snippet, the browser does not properly clean up the previous underlying style object which is replaced by the new assignment. A JScript reference to a style object will remain in memory even after the cssText reassignment.
A remote attacker can exploit this vulnerability by enticing target users to visit a crafted web page that references and attempts to use a style object left in memory after a cssText reassignment. This can potentially cause memory corruption, overwriting critical memory, and allow for the injection and execution of arbitrary code.
Successful exploitation may result in code execution with the privileges of the logged in user. Exploitation of this vulnerability resulting in code execution is not considered to be a trivial task. Upon unsuccessful exploitation, the affected browser may terminate as a result of an invalid memory access.
SonicWall has developed and released an IPS signature that detects and blocks a specific exploit targeting this vulnerability. Generic detection of attack attempts is not feasible as it would require logical analysis of all script contained within a given web site. The IPS signature released to address this vulnerability is:
- 4236 – MS IE Stylesheet Memory Corruption PoC (MS09-034)
The vulnerability has been assigned CVE-2009-1919 by Mitre.org. The vendor has released a security bulletin to address this flaw.
