I. Summary All versions of GreenBrowser is prone to a vulnerability which leads to arbitrary code execution. A Double Free of iframe object is triggered by its shortcut button F6 (use to search the content of current page). A simple poc html that cause the corruption contains: <iframe src="Any_File_Will_Do.swf"></iframe> Other file extension such as xml may tigger this corruption either. Open this page and press F6 (this is the shortcut button to use searchbar), then press F5 to refresh this page, an error window of memory corruption will pop up. Close this page, close the whole GreenBrowser or jump to another page also trigger the problem since this double free occurs when iframe object is released.
A detailed analysis and a POC of this vulnerability could be downloaded from here: http://www.hhjack.com.cn/report/GreenBrowserDF.rar (18.5 MB). Old and lastest version of GreenBrowser has been tested under Windows 7 and Windows XP.
III. Impact Code execution
IV. Affected All versions of GreenBrowser up to latest 6.0.1002 with Windows XP and Windows 7. Other versions of windows may also be affected.
V. Solution There is no known workaround at this time.
VI. Credit The penetration test team Of NCNIPC (China) is credited for this vulnerability.