what you don't know can hurt you

Microsoft Internet Explorer 8 / 9 Toolbar Code Execution

Microsoft Internet Explorer 8 / 9 Toolbar Code Execution
Posted Jun 14, 2012
Authored by Code Audit Labs | Site vulnhunt.com

Code Audit Labs has discovered that Microsoft Internet Explorer versions 8 and 9 suffer from a use-after-free vulnerability in the developer toolbar.

tags | advisory
advisories | CVE-2012-1874
MD5 | aecdddb2a5a1025b08e025ff7798ffaf

Microsoft Internet Explorer 8 / 9 Toolbar Code Execution

Change Mirror Download
[CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution
Vulnerability


CVE ID: CVE-2012-1874
http://technet.microsoft.com/en-us/security/bulletin/ms12-037
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/


1 Affected Products
=================
tested :Internet Explorer 9.0.8112.16421
also affected IE8


2 Vulnerability Details
=====================
Code Audit Labs http://www.vulnhunt.com has discovered a use after free
vulnerability in IE developer toolbar.

IE developer toolbar register a global console object, and add bulitin
members as
CFunctionPointer with reference to console object, but not add reference
count correctly.
if access console object's property, it return a CFunctionPointer, so it
cause a use after
free vulnerability, which can cause Remote Code Execution.



3 Analysis
=========
asm in jsdbgui.dll

.text:1000B172 ; private: void __thiscall
CConsole::AddAllBuiltinMembers(void)
.text:1000B172 ?AddAllBuiltinMembers@CConsole@@AAEXXZ proc near
.text:1000B172 ; CODE XREF:
ATL::CComObject<CConsole>::CreateInstance(ATL::CComObject<CConsole> *
*)+62p
.text:1000B172
.text:1000B172 var_10 = dword ptr -10h
.text:1000B172 var_4 = dword ptr -4
.text:1000B172
.text:1000B172 push 4
.text:1000B174 mov eax, offset loc_10039274
.text:1000B179 call __EH_prolog3
.text:1000B17E mov edi, ecx
.text:1000B180 push 4
.text:1000B182 pop esi
.text:1000B183 push esi ; dwBytes
.text:1000B184 call ??2@YAPAXI@Z ; operator new(uint)
.text:1000B189 pop ecx
.text:1000B18A mov [ebp+var_10], eax
.text:1000B18D and [ebp+var_4], 0
.text:1000B191 test eax, eax
.text:1000B193 jz short loc_1000B1A3
.text:1000B195 push offset aLog ; "log"
.text:1000B19A mov ecx, eax
.text:1000B19C call
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QAE@PBG@Z
;
ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>(ushort
const *)
.text:1000B1A1 jmp short loc_1000B1A5
.text:1000B1A3 ;
---------------------------------------------------------------------------
.text:1000B1A3
.text:1000B1A3 loc_1000B1A3: ; CODE XREF:
CConsole::AddAllBuiltinMembers(void)+21j
.text:1000B1A3 xor eax, eax
.text:1000B1A5
.text:1000B1A5 loc_1000B1A5: ; CODE XREF:
CConsole::AddAllBuiltinMembers(void)+2Fj
.text:1000B1A5 push eax
.text:1000B1A6 or ebx, 0FFFFFFFFh
.text:1000B1A9 push 1
.text:1000B1AB mov ecx, edi
.text:1000B1AD mov [ebp+var_4], ebx
.text:1000B1B0 call
?AddBuiltinMethod@CParentExpando@@IAEXJPAV?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@@Z
;
CParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>
*)
.text:1000B1B5 push esi ; dwBytes

.text:10021E5B push [ebp+arg_0]
.text:10021E5E mov ecx, edi
.text:10021E60 push esi
.text:10021E61 call
?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z ;
CFunctionPointer::SetMethod(CParentExpando *,long)
.text:10021E66 push [ebp+var_10]
.text:10021E69 mov ecx, esi
.text:10021E6B push [ebp+arg_0]
.text:10021E6E call
?SetValue@CParentExpando@@IAEJJPAUIDispatch@@@Z ;
CParentExpando::SetValue(long,IDispatch *)
.text:10021E73 mov eax, [ebp+var_10]

.text:1001B29B ; public: void __thiscall
CFunctionPointer::SetMethod(class CParentExpando *, long)
.text:1001B29B ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z
proc near
.text:1001B29B ; CODE XREF:
CParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>
*)+4Ap
.text:1001B29B
.text:1001B29B arg_0 = dword ptr 8
.text:1001B29B arg_4 = dword ptr 0Ch
.text:1001B29B
.text:1001B29B mov edi, edi
.text:1001B29D push ebp
.text:1001B29E mov ebp, esp
.text:1001B2A0 mov eax, [ebp+arg_0]
.text:1001B2A3 mov [ecx+8], eax
.text:1001B2A6 mov eax, [ebp+arg_4]
.text:1001B2A9 mov [ecx+0Ch], eax
.text:1001B2AC pop ebp
.text:1001B2AD retn 8
.text:1001B2AD ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z endp


4 Exploitable?
============
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.


5 Crash info:
===============
ModLoad: 00110000 001c8000 C:\Program Files (x86)\Internet
Explorer\iexplore.exe
(1564.18e8): Access violation - code c0000005 (!!! second chance !!!)
eax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000
edi=0365cc48
eip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0 nv up ei pl zr na
pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
088b0000 ?? ???
0:005> kb 3
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000
0365cbf0 5f69e657 0a1202d0 00000000 00000001
jsdbgui!CFunctionPointer::InvokeEx+0xbc
0365cc64 5f658fa8 0365cc90 0365cd48 00000008
jscript9!DispatchHelper::GetDispatchValue+0x9d


6 TIMELINE:
==========
2012/1/15 code audit labs of vulnhunt.com discover this issue
2012/1/20 we begin analyze
2012/2/20 we comfirmed this is an exploitable vulnerability. report to
Microsoft
2012/2/21 Microsoft reply got the report.
2012/6/14 Microsoft public this bulletin.


7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.Vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/vulnhunt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close