Microsoft Internet Explorer 8 Code Execution

2012.06.14
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

[CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution Vulnerability CVE ID: CVE-2012-1875 http://technet.microsoft.com/en-us/security/bulletin/ms12-037 http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/ 1 Affected Products ================= IE8 we tested£ºInternet Explorer 8.0.6001.18702 2 Vulnerability Details ====================== The vulnerability occurs when a img element and a div element have same id property, when remove them, img element is freed from memory, but CCollectionCache keep a reference to it, so it cause a use after free vulnerability, which can cause Remote Code Execution. 3 Analysis =========== asm in mshtml.dll bp mshtml!CCollectionCache::GetAtomFromName when break if ecx points to a CImgElement, remember ecx Breakpoint 0 hit eax=03341301 ebx=033413e0 ecx=033413e0 edx=00000001 esi=0000030c edi=016aa348 eip=3db74101 esp=016aa300 ebp=016aa350 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CCollectionCache::GetAtomFromName: 3db74101 8bff mov edi,edi 0:008> dds ecx l4 033413e0 3dabe880 mshtml!CImgElement::`vftable' 033413e4 00000001 033413e8 00000008 033413ec 001a7ad0 0:008> bd 0 0:008> g (2178.2120): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=3db401b2 ebx=00000000 ecx=033413e0 edx=8bffff53 esi=033413e0 edi=016aa348 eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 8bffff53 ?? ??? 0:008> kb ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 016aa2d8 3db56ce7 3db61cdb 80020003 033413e0 0x8bffff53 016aa2dc 3db61cdb 80020003 033413e0 016aa2fc mshtml!CElement::Doc+0x7 016aa2ec 3db74116 00000000 0000030c 016aa350 mshtml!CElement::GetAtomTable+0x10 016aa2fc 3dac2bc9 009af5ac 00000003 03341301 mshtml!CCollectionCache::GetAtomFromName+0x15 016aa350 3dae11bd 033414a0 009af5ac 00000003 mshtml!CCollectionCache::GetIntoAry+0x74 016aa394 3dae1cb5 0000000d 009af5ac 016aa480 mshtml!CCollectionCache::GetDispID+0x13e 016aa3a8 3dacfa5c 033414a0 0000000d 009af5ac mshtml!DispatchGetDispIDCollection+0x3f 016aa3d0 3db61de3 0019adf0 009af5ac 10000003 mshtml!CElementCollectionBase::VersionedGetDispID+0x46 016aa410 3e374e18 0019aeb0 009af5ac 10000003 mshtml!PlainGetDispID+0xdc 016aa440 3e374d99 009af5ac 016aa480 0019aeb0 jscript!IDispatchExGetDispID+0xb7 mshtml!CElement::Doc: 3db56ce0 8b01 mov eax,dword ptr [ecx] 3db56ce2 8b5070 mov edx,dword ptr [eax+70h] 3db56ce5 ffd2 call edx 3db56ce7 8b400c mov eax,dword ptr [eax+0Ch] 4 Exploitable? ============ if overwrite freed memory with controlled content, combined with heap spray, can cause remote code execution. and we noticed that the exploitation attack in the wild. 5 Crash info: =============== (2430.2450): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=3db401b2 ebx=00000000 ecx=002455b8 edx=8bffff53 esi=002455b8 edi=016aa348 eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 8bffff53 ?? ??? 0:008> kb ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 016aa2d8 3db56ce7 3db61cdb 80020003 002455b8 0x8bffff53 016aa2dc 3db61cdb 80020003 002455b8 016aa2fc mshtml!CElement::Doc+0x7 016aa2ec 3db74116 00000000 0000030c 016aa350 mshtml!CElement::GetAtomTable+0x10 016aa2fc 3dac2bc9 009af528 00000003 00245501 mshtml!CCollectionCache::GetAtomFromName+0x15 016aa350 3dae11bd 00245678 009af528 00000003 mshtml!CCollectionCache::GetIntoAry+0x74 016aa394 3dae1cb5 0000000d 009af528 016aa480 mshtml!CCollectionCache::GetDispID+0x13e 016aa3a8 3dacfa5c 00245678 0000000d 009af528 mshtml!DispatchGetDispIDCollection+0x3f 016aa3d0 3db61de3 033329c0 009af528 10000003 mshtml!CElementCollectionBase::VersionedGetDispID+0x46 6 TIMELINE: ========== 2012/2/15 Dark son request code audit labs to analyze a POC example 2012/2/15 we begin analyze 2012/2/20 we comfirmed this is an exploitable 0day. report to Microsoft 2012/2/21 Microsoft reply got the report. 2012/2/25 Microsoft begin to investigate 2012/3/1 Microsoft comfirmed this issue. 2012/6/14 Microsoft public this bulletin. 7 About Code Audit Labs: ===================== Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com http://blog.Vulnhunt.com http://t.qq.com/vulnhunt http://weibo.com/vulnhunt https://twitter.com/vulnhunt

References:

http://technet.microsoft.com/en-us/security/bulletin/ms12-037
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top