[CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution
Vulnerability



CVE ID: CVE-2012-1875
http://technet.microsoft.com/en-us/security/bulletin/ms12-037
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/


1 Affected Products
=================
IE8
we tested£ºInternet Explorer 8.0.6001.18702


2 Vulnerability Details
======================

The vulnerability occurs when a img element and a div element have same
id property, when remove them, img
element is freed from memory, but CCollectionCache keep a reference to
it, so it cause a use after free
vulnerability, which can cause Remote Code Execution.



3 Analysis
===========
asm in mshtml.dll

bp mshtml!CCollectionCache::GetAtomFromName
when break if ecx points to a CImgElement, remember ecx
Breakpoint 0 hit
eax=03341301 ebx=033413e0 ecx=033413e0 edx=00000001 esi=0000030c
edi=016aa348
eip=3db74101 esp=016aa300 ebp=016aa350 iopl=0         nv up ei pl nz na
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000202
mshtml!CCollectionCache::GetAtomFromName:
3db74101 8bff            mov     edi,edi
0:008> dds ecx l4
033413e0  3dabe880 mshtml!CImgElement::`vftable'
033413e4  00000001
033413e8  00000008
033413ec  001a7ad0

0:008> bd 0
0:008> g
(2178.2120): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3db401b2 ebx=00000000 ecx=033413e0 edx=8bffff53 esi=033413e0
edi=016aa348
eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0         nv up ei pl zr na
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010246
8bffff53 ??              ???
0:008> kb
ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016aa2d8 3db56ce7 3db61cdb 80020003 033413e0 0x8bffff53
016aa2dc 3db61cdb 80020003 033413e0 016aa2fc mshtml!CElement::Doc+0x7
016aa2ec 3db74116 00000000 0000030c 016aa350
mshtml!CElement::GetAtomTable+0x10
016aa2fc 3dac2bc9 009af5ac 00000003 03341301
mshtml!CCollectionCache::GetAtomFromName+0x15
016aa350 3dae11bd 033414a0 009af5ac 00000003
mshtml!CCollectionCache::GetIntoAry+0x74
016aa394 3dae1cb5 0000000d 009af5ac 016aa480
mshtml!CCollectionCache::GetDispID+0x13e
016aa3a8 3dacfa5c 033414a0 0000000d 009af5ac
mshtml!DispatchGetDispIDCollection+0x3f
016aa3d0 3db61de3 0019adf0 009af5ac 10000003
mshtml!CElementCollectionBase::VersionedGetDispID+0x46
016aa410 3e374e18 0019aeb0 009af5ac 10000003 mshtml!PlainGetDispID+0xdc
016aa440 3e374d99 009af5ac 016aa480 0019aeb0
jscript!IDispatchExGetDispID+0xb7

mshtml!CElement::Doc:
3db56ce0 8b01            mov     eax,dword ptr [ecx]
3db56ce2 8b5070          mov     edx,dword ptr [eax+70h]
3db56ce5 ffd2            call    edx
3db56ce7 8b400c          mov     eax,dword ptr [eax+0Ch]


4 Exploitable?
============
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.

and we noticed that the exploitation attack in the wild.


5 Crash info:
===============
(2430.2450): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3db401b2 ebx=00000000 ecx=002455b8 edx=8bffff53 esi=002455b8
edi=016aa348
eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0         nv up ei pl zr na
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010246
8bffff53 ??              ???
0:008> kb
ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016aa2d8 3db56ce7 3db61cdb 80020003 002455b8 0x8bffff53
016aa2dc 3db61cdb 80020003 002455b8 016aa2fc mshtml!CElement::Doc+0x7
016aa2ec 3db74116 00000000 0000030c 016aa350
mshtml!CElement::GetAtomTable+0x10
016aa2fc 3dac2bc9 009af528 00000003 00245501
mshtml!CCollectionCache::GetAtomFromName+0x15
016aa350 3dae11bd 00245678 009af528 00000003
mshtml!CCollectionCache::GetIntoAry+0x74
016aa394 3dae1cb5 0000000d 009af528 016aa480
mshtml!CCollectionCache::GetDispID+0x13e
016aa3a8 3dacfa5c 00245678 0000000d 009af528
mshtml!DispatchGetDispIDCollection+0x3f
016aa3d0 3db61de3 033329c0 009af528 10000003
mshtml!CElementCollectionBase::VersionedGetDispID+0x46



6 TIMELINE:
==========
2012/2/15 Dark son request code audit labs to analyze a POC example
2012/2/15 we begin analyze
2012/2/20 we comfirmed this is an exploitable 0day. report to Microsoft
2012/2/21 Microsoft reply got the report.
2012/2/25 Microsoft begin to investigate
2012/3/1  Microsoft comfirmed this issue.
2012/6/14 Microsoft public this bulletin.


7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.Vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/vulnhunt