Exploit the possiblities

Microsoft Internet Explorer 10-9 Object Confusion Sandbox Bypass

Microsoft Internet Explorer 10-9 Object Confusion Sandbox Bypass
Posted May 23, 2013
Authored by Nicolas Joly, VUPEN | Site vupen.com

VUPEN Vulnerability Research Team discovered a critical vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an object confusion error in the IE broker process when processing unexpected variant objects, which could allow an attacker to execute arbitrary code within the context of the broker process to bypass Internet Explorer Protected Mode sandbox.

tags | advisory, arbitrary, code execution
systems | windows
MD5 | e2932b7fcafb7bc1a83b847ee7f48ff5

Microsoft Internet Explorer 10-9 Object Confusion Sandbox Bypass

Change Mirror Download
VUPEN Security Research - Microsoft Internet Explorer 10-9 Object
Confusion Sandbox Bypass (MS13-037 / Pwn2Own)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen


I. BACKGROUND
---------------------

"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)


II. DESCRIPTION
---------------------

VUPEN Vulnerability Research Team discovered a critical vulnerability
in Microsoft Internet Explorer.

The vulnerability is caused by an object confusion error in the IE broker
process when processing unexpected variant objects, which could allow an
attacker to execute arbitrary code within the context of the broker process
to bypass Internet Explorer Protected Mode sandbox.


III. AFFECTED PRODUCTS
---------------------------

Microsoft Internet Explorer 10
Microsoft Internet Explorer 9

Microsoft Windows RT
Microsoft Windows 8 for 32-bit Systems
Microsoft Windows 8 for x64-based Systems
Microsoft Windows Server 2012
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows 7 for 32-bit Systems Service Pack 1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
Microsoft Windows Server 2008 R2 for x64-based Systems
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 R2 for Itanium-based Systems
Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2


IV. Binary Analysis & Exploits/PoCs
---------------------------------------

In-depth technical analysis of the vulnerability and a fully functional
remote code execution exploit will be available through the VUPEN BAE
(Binary Analysis & Exploits) portal:

http://www.vupen.com/english/services/ba-index.php

VUPEN Binary Analysis & Exploits Service provides private exploits and
in-depth technical analysis of the most significant public vulnerabilities
based on disassembly, reverse engineering, protocol analysis, and code
audit.

The service allows governments and major corporations to evaluate risks, and
protect infrastructures and assets against new threats. The service also
allows security vendors (IPS, IDS, AntiVirus) to supplement their internal
research efforts and quickly develop both vulnerability-based and
exploit-based signatures to proactively protect their customers from attacks
and emerging threats.


V. VUPEN Threat Protection Program
-----------------------------------

Governments and major corporations which are members of the VUPEN Threat
Protection Program (TPP) have been proactively alerted about the
vulnerability
when it was discovered by VUPEN in advance of its public disclosure, and
have received a detailed attack detection guidance to protect national and
critical infrastructures against potential 0-day attacks exploiting this
vulnerability:

http://www.vupen.com/english/services/tpp-index.php


VI. SOLUTION
----------------

Apply MS13-037 security updates.


VII. CREDIT
--------------

This vulnerability was discovered by Nicolas Joly of VUPEN Security


VIII. ABOUT VUPEN Security
---------------------------

VUPEN is the leading provider of defensive and offensive cybersecurity
intelligence and advanced vulnerability research. VUPEN solutions enable
corporations and governments to manage risks, and protect critical networks
and infrastructures against known and unknown vulnerabilities.

VUPEN solutions include:

* VUPEN Binary Analysis & Exploits Service (BAE) :
http://www.vupen.com/english/services/ba-index.php

* VUPEN Threat Protection Program (TPP) :
http://www.vupen.com/english/services/tpp-index.php


IX. REFERENCES
----------------------

http://technet.microsoft.com/en-us/security/bulletin/ms13-037
http://www.vupen.com/english/research.php


X. DISCLOSURE TIMELINE
-----------------------------

2011-11-23 - Vulnerability Discovered by VUPEN
2013-03-06 - Vulnerability Reported to Microsoft During Pwn2Own 2013
2013-05-20 - Public disclosure

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close