what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Internet Explorer 8 Code Execution

Microsoft Internet Explorer 8 Code Execution
Posted Jun 14, 2012
Authored by Code Audit Labs | Site vulnhunt.com

Code Audit Labs has discovered a remote code execution vulnerability in Microsoft Internet Explorer 8 due to a use-after-free issue having to do with property ids.

tags | advisory, remote, code execution
advisories | CVE-2012-1875
SHA-256 | d90822cc1fdf82eaf50e354edf2ba9269a59ae2ff8196eb2ba50bfbd36cfe29b

Microsoft Internet Explorer 8 Code Execution

Change Mirror Download
[CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution
Vulnerability



CVE ID: CVE-2012-1875
https://technet.microsoft.com/en-us/security/bulletin/ms12-037
https://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/


1 Affected Products
=================
IE8
we tested£ÂșInternet Explorer 8.0.6001.18702


2 Vulnerability Details
======================

The vulnerability occurs when a img element and a div element have same
id property, when remove them, img
element is freed from memory, but CCollectionCache keep a reference to
it, so it cause a use after free
vulnerability, which can cause Remote Code Execution.



3 Analysis
===========
asm in mshtml.dll

bp mshtml!CCollectionCache::GetAtomFromName
when break if ecx points to a CImgElement, remember ecx
Breakpoint 0 hit
eax=03341301 ebx=033413e0 ecx=033413e0 edx=00000001 esi=0000030c
edi=016aa348
eip=3db74101 esp=016aa300 ebp=016aa350 iopl=0 nv up ei pl nz na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000202
mshtml!CCollectionCache::GetAtomFromName:
3db74101 8bff mov edi,edi
0:008> dds ecx l4
033413e0 3dabe880 mshtml!CImgElement::`vftable'
033413e4 00000001
033413e8 00000008
033413ec 001a7ad0

0:008> bd 0
0:008> g
(2178.2120): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3db401b2 ebx=00000000 ecx=033413e0 edx=8bffff53 esi=033413e0
edi=016aa348
eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
8bffff53 ?? ???
0:008> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016aa2d8 3db56ce7 3db61cdb 80020003 033413e0 0x8bffff53
016aa2dc 3db61cdb 80020003 033413e0 016aa2fc mshtml!CElement::Doc+0x7
016aa2ec 3db74116 00000000 0000030c 016aa350
mshtml!CElement::GetAtomTable+0x10
016aa2fc 3dac2bc9 009af5ac 00000003 03341301
mshtml!CCollectionCache::GetAtomFromName+0x15
016aa350 3dae11bd 033414a0 009af5ac 00000003
mshtml!CCollectionCache::GetIntoAry+0x74
016aa394 3dae1cb5 0000000d 009af5ac 016aa480
mshtml!CCollectionCache::GetDispID+0x13e
016aa3a8 3dacfa5c 033414a0 0000000d 009af5ac
mshtml!DispatchGetDispIDCollection+0x3f
016aa3d0 3db61de3 0019adf0 009af5ac 10000003
mshtml!CElementCollectionBase::VersionedGetDispID+0x46
016aa410 3e374e18 0019aeb0 009af5ac 10000003 mshtml!PlainGetDispID+0xdc
016aa440 3e374d99 009af5ac 016aa480 0019aeb0
jscript!IDispatchExGetDispID+0xb7

mshtml!CElement::Doc:
3db56ce0 8b01 mov eax,dword ptr [ecx]
3db56ce2 8b5070 mov edx,dword ptr [eax+70h]
3db56ce5 ffd2 call edx
3db56ce7 8b400c mov eax,dword ptr [eax+0Ch]


4 Exploitable?
============
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.

and we noticed that the exploitation attack in the wild.


5 Crash info:
===============
(2430.2450): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3db401b2 ebx=00000000 ecx=002455b8 edx=8bffff53 esi=002455b8
edi=016aa348
eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
8bffff53 ?? ???
0:008> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016aa2d8 3db56ce7 3db61cdb 80020003 002455b8 0x8bffff53
016aa2dc 3db61cdb 80020003 002455b8 016aa2fc mshtml!CElement::Doc+0x7
016aa2ec 3db74116 00000000 0000030c 016aa350
mshtml!CElement::GetAtomTable+0x10
016aa2fc 3dac2bc9 009af528 00000003 00245501
mshtml!CCollectionCache::GetAtomFromName+0x15
016aa350 3dae11bd 00245678 009af528 00000003
mshtml!CCollectionCache::GetIntoAry+0x74
016aa394 3dae1cb5 0000000d 009af528 016aa480
mshtml!CCollectionCache::GetDispID+0x13e
016aa3a8 3dacfa5c 00245678 0000000d 009af528
mshtml!DispatchGetDispIDCollection+0x3f
016aa3d0 3db61de3 033329c0 009af528 10000003
mshtml!CElementCollectionBase::VersionedGetDispID+0x46



6 TIMELINE:
==========
2012/2/15 Dark son request code audit labs to analyze a POC example
2012/2/15 we begin analyze
2012/2/20 we comfirmed this is an exploitable 0day. report to Microsoft
2012/2/21 Microsoft reply got the report.
2012/2/25 Microsoft begin to investigate
2012/3/1 Microsoft comfirmed this issue.
2012/6/14 Microsoft public this bulletin.


7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
https://www.VulnHunt.com
https://blog.Vulnhunt.com
https://t.qq.com/vulnhunt
https://weibo.com/vulnhunt
https://twitter.com/vulnhunt

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close