[CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution Vulnerability

2012-06-17T00:00:00
ID SECURITYVULNS:DOC:28156
Type securityvulns
Reporter Securityvulns
Modified 2012-06-17T00:00:00

Description

[CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution Vulnerability

CVE ID: CVE-2012-1875 http://technet.microsoft.com/en-us/security/bulletin/ms12-037 http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/

1 Affected Products

IE8 we tested:Internet Explorer 8.0.6001.18702

2 Vulnerability Details

The vulnerability occurs when a img element and a div element have same id property, when remove them, img element is freed from memory, but CCollectionCache keep a reference to it, so it cause a use after free vulnerability, which can cause Remote Code Execution.

3 Analysis

asm in mshtml.dll

bp mshtml!CCollectionCache::GetAtomFromName when break if ecx points to a CImgElement, remember ecx Breakpoint 0 hit eax=03341301 ebx=033413e0 ecx=033413e0 edx=00000001 esi=0000030c edi=016aa348 eip=3db74101 esp=016aa300 ebp=016aa350 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CCollectionCache::GetAtomFromName: 3db74101 8bff mov edi,edi 0:008> dds ecx l4 033413e0 3dabe880 mshtml!CImgElement::`vftable' 033413e4 00000001 033413e8 00000008 033413ec 001a7ad0

0:008> bd 0 0:008> g (2178.2120): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=3db401b2 ebx=00000000 ecx=033413e0 edx=8bffff53 esi=033413e0 edi=016aa348 eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 8bffff53 ?? ??? 0:008> kb ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 016aa2d8 3db56ce7 3db61cdb 80020003 033413e0 0x8bffff53 016aa2dc 3db61cdb 80020003 033413e0 016aa2fc mshtml!CElement::Doc+0x7 016aa2ec 3db74116 00000000 0000030c 016aa350 mshtml!CElement::GetAtomTable+0x10 016aa2fc 3dac2bc9 009af5ac 00000003 03341301 mshtml!CCollectionCache::GetAtomFromName+0x15 016aa350 3dae11bd 033414a0 009af5ac 00000003 mshtml!CCollectionCache::GetIntoAry+0x74 016aa394 3dae1cb5 0000000d 009af5ac 016aa480 mshtml!CCollectionCache::GetDispID+0x13e 016aa3a8 3dacfa5c 033414a0 0000000d 009af5ac mshtml!DispatchGetDispIDCollection+0x3f 016aa3d0 3db61de3 0019adf0 009af5ac 10000003 mshtml!CElementCollectionBase::VersionedGetDispID+0x46 016aa410 3e374e18 0019aeb0 009af5ac 10000003 mshtml!PlainGetDispID+0xdc 016aa440 3e374d99 009af5ac 016aa480 0019aeb0 jscript!IDispatchExGetDispID+0xb7

mshtml!CElement::Doc: 3db56ce0 8b01 mov eax,dword ptr [ecx] 3db56ce2 8b5070 mov edx,dword ptr [eax+70h] 3db56ce5 ffd2 call edx 3db56ce7 8b400c mov eax,dword ptr [eax+0Ch]

4 Exploitable?

if overwrite freed memory with controlled content, combined with heap spray, can cause remote code execution.

and we noticed that the exploitation attack in the wild.

5 Crash info:

(2430.2450): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=3db401b2 ebx=00000000 ecx=002455b8 edx=8bffff53 esi=002455b8 edi=016aa348 eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 8bffff53 ?? ??? 0:008> kb ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 016aa2d8 3db56ce7 3db61cdb 80020003 002455b8 0x8bffff53 016aa2dc 3db61cdb 80020003 002455b8 016aa2fc mshtml!CElement::Doc+0x7 016aa2ec 3db74116 00000000 0000030c 016aa350 mshtml!CElement::GetAtomTable+0x10 016aa2fc 3dac2bc9 009af528 00000003 00245501 mshtml!CCollectionCache::GetAtomFromName+0x15 016aa350 3dae11bd 00245678 009af528 00000003 mshtml!CCollectionCache::GetIntoAry+0x74 016aa394 3dae1cb5 0000000d 009af528 016aa480 mshtml!CCollectionCache::GetDispID+0x13e 016aa3a8 3dacfa5c 00245678 0000000d 009af528 mshtml!DispatchGetDispIDCollection+0x3f 016aa3d0 3db61de3 033329c0 009af528 10000003 mshtml!CElementCollectionBase::VersionedGetDispID+0x46

6 TIMELINE:

2012/2/15 Dark son request code audit labs to analyze a POC example 2012/2/15 we begin analyze 2012/2/20 we comfirmed this is an exploitable 0day. report to Microsoft 2012/2/21 Microsoft reply got the report. 2012/2/25 Microsoft begin to investigate 2012/3/1 Microsoft comfirmed this issue. 2012/6/14 Microsoft public this bulletin.

7 About Code Audit Labs:

Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com http://blog.Vulnhunt.com http://t.qq.com/vulnhunt http://weibo.com/vulnhunt https://twitter.com/vulnhunt