[CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution Vulnerability CVE ID: CVE-2012-1874 http://technet.microsoft.com/en-us/security/bulletin/ms12-037 http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/ 1 Affected Products ================= tested :Internet Explorer 9.0.8112.16421 also affected IE8 2 Vulnerability Details ===================== Code Audit Labs http://www.vulnhunt.com has discovered a use after free vulnerability in IE developer toolbar. IE developer toolbar register a global console object, and add bulitin members as CFunctionPointer with reference to console object, but not add reference count correctly. if access console object's property, it return a CFunctionPointer, so it cause a use after free vulnerability, which can cause Remote Code Execution. 3 Analysis ========= asm in jsdbgui.dll .text:1000B172 ; private: void __thiscall CConsole::AddAllBuiltinMembers(void) .text:1000B172 ?AddAllBuiltinMembers@CConsole@@AAEXXZ proc near .text:1000B172 ; CODE XREF: ATL::CComObject<CConsole>::CreateInstance(ATL::CComObject<CConsole> * *)+62p .text:1000B172 .text:1000B172 var_10 = dword ptr -10h .text:1000B172 var_4 = dword ptr -4 .text:1000B172 .text:1000B172 push 4 .text:1000B174 mov eax, offset loc_10039274 .text:1000B179 call __EH_prolog3 .text:1000B17E mov edi, ecx .text:1000B180 push 4 .text:1000B182 pop esi .text:1000B183 push esi ; dwBytes .text:1000B184 call ??2@YAPAXI@Z ; operator new(uint) .text:1000B189 pop ecx .text:1000B18A mov [ebp+var_10], eax .text:1000B18D and [ebp+var_4], 0 .text:1000B191 test eax, eax .text:1000B193 jz short loc_1000B1A3 .text:1000B195 push offset aLog ; "log" .text:1000B19A mov ecx, eax .text:1000B19C call ??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QAE@PBG@Z ; ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>(ushort const *) .text:1000B1A1 jmp short loc_1000B1A5 .text:1000B1A3 ; --------------------------------------------------------------------------- .text:1000B1A3 .text:1000B1A3 loc_1000B1A3: ; CODE XREF: CConsole::AddAllBuiltinMembers(void)+21j .text:1000B1A3 xor eax, eax .text:1000B1A5 .text:1000B1A5 loc_1000B1A5: ; CODE XREF: CConsole::AddAllBuiltinMembers(void)+2Fj .text:1000B1A5 push eax .text:1000B1A6 or ebx, 0FFFFFFFFh .text:1000B1A9 push 1 .text:1000B1AB mov ecx, edi .text:1000B1AD mov [ebp+var_4], ebx .text:1000B1B0 call ?AddBuiltinMethod@CParentExpando@@IAEXJPAV?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@@Z ; CParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>> *) .text:1000B1B5 push esi ; dwBytes .text:10021E5B push [ebp+arg_0] .text:10021E5E mov ecx, edi .text:10021E60 push esi .text:10021E61 call ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z ; CFunctionPointer::SetMethod(CParentExpando *,long) .text:10021E66 push [ebp+var_10] .text:10021E69 mov ecx, esi .text:10021E6B push [ebp+arg_0] .text:10021E6E call ?SetValue@CParentExpando@@IAEJJPAUIDispatch@@@Z ; CParentExpando::SetValue(long,IDispatch *) .text:10021E73 mov eax, [ebp+var_10] .text:1001B29B ; public: void __thiscall CFunctionPointer::SetMethod(class CParentExpando *, long) .text:1001B29B ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z proc near .text:1001B29B ; CODE XREF: CParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>> *)+4Ap .text:1001B29B .text:1001B29B arg_0 = dword ptr 8 .text:1001B29B arg_4 = dword ptr 0Ch .text:1001B29B .text:1001B29B mov edi, edi .text:1001B29D push ebp .text:1001B29E mov ebp, esp .text:1001B2A0 mov eax, [ebp+arg_0] .text:1001B2A3 mov [ecx+8], eax .text:1001B2A6 mov eax, [ebp+arg_4] .text:1001B2A9 mov [ecx+0Ch], eax .text:1001B2AC pop ebp .text:1001B2AD retn 8 .text:1001B2AD ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z endp 4 Exploitable? ============ if overwrite freed memory with controlled content, combined with heap spray, can cause remote code execution. 5 Crash info: =============== ModLoad: 00110000 001c8000 C:\Program Files (x86)\Internet Explorer\iexplore.exe (1564.18e8): Access violation - code c0000005 (!!! second chance !!!) eax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000 edi=0365cc48 eip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 088b0000 ?? ??? 0:005> kb 3 ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000 0365cbf0 5f69e657 0a1202d0 00000000 00000001 jsdbgui!CFunctionPointer::InvokeEx+0xbc 0365cc64 5f658fa8 0365cc90 0365cd48 00000008 jscript9!DispatchHelper::GetDispatchValue+0x9d 6 TIMELINE: ========== 2012/1/15 code audit labs of vulnhunt.com discover this issue 2012/1/20 we begin analyze 2012/2/20 we comfirmed this is an exploitable vulnerability. report to Microsoft 2012/2/21 Microsoft reply got the report. 2012/6/14 Microsoft public this bulletin. 7 About Code Audit Labs: ===================== Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com http://blog.Vulnhunt.com http://t.qq.com/vulnhunt http://weibo.com/vulnhunt https://twitter.com/vulnhunt