exploit the possibilities

Microsoft Internet Explorer 8 Code Execution

Microsoft Internet Explorer 8 Code Execution
Posted Jun 14, 2012
Authored by Code Audit Labs | Site vulnhunt.com

Code Audit Labs has discovered a remote code execution vulnerability in Microsoft Internet Explorer 8 due to a use-after-free issue having to do with property ids.

tags | advisory, remote, code execution
advisories | CVE-2012-1875
MD5 | bd95491c06843df2fbded9d5fca6e4e3

Microsoft Internet Explorer 8 Code Execution

Change Mirror Download
[CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution
Vulnerability



CVE ID: CVE-2012-1875
http://technet.microsoft.com/en-us/security/bulletin/ms12-037
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/


1 Affected Products
=================
IE8
we tested£ÂșInternet Explorer 8.0.6001.18702


2 Vulnerability Details
======================

The vulnerability occurs when a img element and a div element have same
id property, when remove them, img
element is freed from memory, but CCollectionCache keep a reference to
it, so it cause a use after free
vulnerability, which can cause Remote Code Execution.



3 Analysis
===========
asm in mshtml.dll

bp mshtml!CCollectionCache::GetAtomFromName
when break if ecx points to a CImgElement, remember ecx
Breakpoint 0 hit
eax=03341301 ebx=033413e0 ecx=033413e0 edx=00000001 esi=0000030c
edi=016aa348
eip=3db74101 esp=016aa300 ebp=016aa350 iopl=0 nv up ei pl nz na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000202
mshtml!CCollectionCache::GetAtomFromName:
3db74101 8bff mov edi,edi
0:008> dds ecx l4
033413e0 3dabe880 mshtml!CImgElement::`vftable'
033413e4 00000001
033413e8 00000008
033413ec 001a7ad0

0:008> bd 0
0:008> g
(2178.2120): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3db401b2 ebx=00000000 ecx=033413e0 edx=8bffff53 esi=033413e0
edi=016aa348
eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
8bffff53 ?? ???
0:008> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016aa2d8 3db56ce7 3db61cdb 80020003 033413e0 0x8bffff53
016aa2dc 3db61cdb 80020003 033413e0 016aa2fc mshtml!CElement::Doc+0x7
016aa2ec 3db74116 00000000 0000030c 016aa350
mshtml!CElement::GetAtomTable+0x10
016aa2fc 3dac2bc9 009af5ac 00000003 03341301
mshtml!CCollectionCache::GetAtomFromName+0x15
016aa350 3dae11bd 033414a0 009af5ac 00000003
mshtml!CCollectionCache::GetIntoAry+0x74
016aa394 3dae1cb5 0000000d 009af5ac 016aa480
mshtml!CCollectionCache::GetDispID+0x13e
016aa3a8 3dacfa5c 033414a0 0000000d 009af5ac
mshtml!DispatchGetDispIDCollection+0x3f
016aa3d0 3db61de3 0019adf0 009af5ac 10000003
mshtml!CElementCollectionBase::VersionedGetDispID+0x46
016aa410 3e374e18 0019aeb0 009af5ac 10000003 mshtml!PlainGetDispID+0xdc
016aa440 3e374d99 009af5ac 016aa480 0019aeb0
jscript!IDispatchExGetDispID+0xb7

mshtml!CElement::Doc:
3db56ce0 8b01 mov eax,dword ptr [ecx]
3db56ce2 8b5070 mov edx,dword ptr [eax+70h]
3db56ce5 ffd2 call edx
3db56ce7 8b400c mov eax,dword ptr [eax+0Ch]


4 Exploitable?
============
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.

and we noticed that the exploitation attack in the wild.


5 Crash info:
===============
(2430.2450): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3db401b2 ebx=00000000 ecx=002455b8 edx=8bffff53 esi=002455b8
edi=016aa348
eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
8bffff53 ?? ???
0:008> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016aa2d8 3db56ce7 3db61cdb 80020003 002455b8 0x8bffff53
016aa2dc 3db61cdb 80020003 002455b8 016aa2fc mshtml!CElement::Doc+0x7
016aa2ec 3db74116 00000000 0000030c 016aa350
mshtml!CElement::GetAtomTable+0x10
016aa2fc 3dac2bc9 009af528 00000003 00245501
mshtml!CCollectionCache::GetAtomFromName+0x15
016aa350 3dae11bd 00245678 009af528 00000003
mshtml!CCollectionCache::GetIntoAry+0x74
016aa394 3dae1cb5 0000000d 009af528 016aa480
mshtml!CCollectionCache::GetDispID+0x13e
016aa3a8 3dacfa5c 00245678 0000000d 009af528
mshtml!DispatchGetDispIDCollection+0x3f
016aa3d0 3db61de3 033329c0 009af528 10000003
mshtml!CElementCollectionBase::VersionedGetDispID+0x46



6 TIMELINE:
==========
2012/2/15 Dark son request code audit labs to analyze a POC example
2012/2/15 we begin analyze
2012/2/20 we comfirmed this is an exploitable 0day. report to Microsoft
2012/2/21 Microsoft reply got the report.
2012/2/25 Microsoft begin to investigate
2012/3/1 Microsoft comfirmed this issue.
2012/6/14 Microsoft public this bulletin.


7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.Vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/vulnhunt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    3 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    9 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close