II. Description
GreenBrowser is a IEcore based browser. A specified crafted page could lead to the execution of shellcode. Using some JavaScript to refresh the page can let shellcode execute automatically after a press of F6.
Search bar exists in many browsers, used mostly for a quick search over different searching engine such as Google and Bing. GreenBrowser defines a shortcut button F6 used to search the content of current web page (including the content inside iframe) for text inside the search bar. After a press of F6 for a web page with a iframe points to a flash or xml, GreenBrowser will call ieframe.dll!CFindEngine::DisconnectDocument then mshtml.dll!CDocument::PrivateRelease. When the page is refreshing or closing, GreenBrowser will call mshtml.dll!CDocument::PrivateRelease to release the iframe object again. Since CDocument object has already been released once, another call of CDocument::PrivateRelease will use a released memory (could be shellcode using HeapSpray) as virtual function table, thus leading to a code execution vulnerability. Advanced memory attacking techniques such as HeapFengShui or JIT-Spray could be used to build a stable exploit.
VI. Credit
The penetration test team Of NCNIPC (China) is credited for this vulnerability.