Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28156
HistoryJun 17, 2012 - 12:00 a.m.

[CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution Vulnerability

2012-06-1700:00:00
vulners.com
30
JSON

[CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution
Vulnerability

CVE ID: CVE-2012-1875
http://technet.microsoft.com/en-us/security/bulletin/ms12-037
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/

1 Affected Products

IE8
we tested:Internet Explorer 8.0.6001.18702

2 Vulnerability Details

The vulnerability occurs when a img element and a div element have same
id property, when remove them, img
element is freed from memory, but CCollectionCache keep a reference to
it, so it cause a use after free
vulnerability, which can cause Remote Code Execution.

3 Analysis

asm in mshtml.dll

bp mshtml!CCollectionCache::GetAtomFromName
when break if ecx points to a CImgElement, remember ecx
Breakpoint 0 hit
eax=03341301 ebx=033413e0 ecx=033413e0 edx=00000001 esi=0000030c
edi=016aa348
eip=3db74101 esp=016aa300 ebp=016aa350 iopl=0 nv up ei pl nz na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000202
mshtml!CCollectionCache::GetAtomFromName:
3db74101 8bff mov edi,edi
0:008> dds ecx l4
033413e0 3dabe880 mshtml!CImgElement::`vftable'
033413e4 00000001
033413e8 00000008
033413ec 001a7ad0

0:008> bd 0
0:008> g
(2178.2120): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3db401b2 ebx=00000000 ecx=033413e0 edx=8bffff53 esi=033413e0
edi=016aa348
eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
8bffff53 ?? ???
0:008> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016aa2d8 3db56ce7 3db61cdb 80020003 033413e0 0x8bffff53
016aa2dc 3db61cdb 80020003 033413e0 016aa2fc mshtml!CElement::Doc+0x7
016aa2ec 3db74116 00000000 0000030c 016aa350
mshtml!CElement::GetAtomTable+0x10
016aa2fc 3dac2bc9 009af5ac 00000003 03341301
mshtml!CCollectionCache::GetAtomFromName+0x15
016aa350 3dae11bd 033414a0 009af5ac 00000003
mshtml!CCollectionCache::GetIntoAry+0x74
016aa394 3dae1cb5 0000000d 009af5ac 016aa480
mshtml!CCollectionCache::GetDispID+0x13e
016aa3a8 3dacfa5c 033414a0 0000000d 009af5ac
mshtml!DispatchGetDispIDCollection+0x3f
016aa3d0 3db61de3 0019adf0 009af5ac 10000003
mshtml!CElementCollectionBase::VersionedGetDispID+0x46
016aa410 3e374e18 0019aeb0 009af5ac 10000003 mshtml!PlainGetDispID+0xdc
016aa440 3e374d99 009af5ac 016aa480 0019aeb0
jscript!IDispatchExGetDispID+0xb7

mshtml!CElement::Doc:
3db56ce0 8b01 mov eax,dword ptr [ecx]
3db56ce2 8b5070 mov edx,dword ptr [eax+70h]
3db56ce5 ffd2 call edx
3db56ce7 8b400c mov eax,dword ptr [eax+0Ch]

4 Exploitable?

if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.

and we noticed that the exploitation attack in the wild.

5 Crash info:

(2430.2450): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3db401b2 ebx=00000000 ecx=002455b8 edx=8bffff53 esi=002455b8
edi=016aa348
eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
8bffff53 ?? ???
0:008> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016aa2d8 3db56ce7 3db61cdb 80020003 002455b8 0x8bffff53
016aa2dc 3db61cdb 80020003 002455b8 016aa2fc mshtml!CElement::Doc+0x7
016aa2ec 3db74116 00000000 0000030c 016aa350
mshtml!CElement::GetAtomTable+0x10
016aa2fc 3dac2bc9 009af528 00000003 00245501
mshtml!CCollectionCache::GetAtomFromName+0x15
016aa350 3dae11bd 00245678 009af528 00000003
mshtml!CCollectionCache::GetIntoAry+0x74
016aa394 3dae1cb5 0000000d 009af528 016aa480
mshtml!CCollectionCache::GetDispID+0x13e
016aa3a8 3dacfa5c 00245678 0000000d 009af528
mshtml!DispatchGetDispIDCollection+0x3f
016aa3d0 3db61de3 033329c0 009af528 10000003
mshtml!CElementCollectionBase::VersionedGetDispID+0x46

6 TIMELINE:

2012/2/15 Dark son request code audit labs to analyze a POC example
2012/2/15 we begin analyze
2012/2/20 we comfirmed this is an exploitable 0day. report to Microsoft
2012/2/21 Microsoft reply got the report.
2012/2/25 Microsoft begin to investigate
2012/3/1 Microsoft comfirmed this issue.
2012/6/14 Microsoft public this bulletin.

7 About Code Audit Labs:

Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.Vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/vulnhunt

Related

checkpoint_advisories 1
packetstorm 1
saint 4
prion 1
threatpost 6
securityvulns 2
attackerkb 1
metasploit 1
cve 1
symantec 1
thn 4
seebug 2
exploitdb 1
openvas 2
nessus 1
mskb 1
checkpoint_advisories
checkpoint_advisories
Internet Explorer Same ID Property Remote Code Execution (MS12-037; CVE-2012-1875)
2012-06-12 00:00:00
packetstorm
packetstorm
MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
2012-06-14 00:00:00
saint
saint
Internet Explorer Same ID Property vulnerability
2012-06-22 00:00:00
Internet Explorer Same ID Property vulnerability
2012-06-22 00:00:00
Internet Explorer Same ID Property vulnerability
2012-06-22 00:00:00
prion
prion
Remote code execution
2012-06-12 22:55:00
threatpost
threatpost
New Fake Android Security App is Zeus Malware
2012-06-18 15:28:08
What Have We Learned: Flame Malware
2012-06-15 19:46:56
Exploit Code Surfaces for CVE-2012-1875 Internet Explorer Bug
2012-06-18 13:43:09
securityvulns
securityvulns
VUPEN Security Research - Microsoft Internet Explorer "GetAtomTable" Remote Use-after-free (MS12-037 / CVE-2012-1875)
2012-06-25 00:00:00
Microsoft Internet Explorer multiple security vulnerabilities
2012-06-25 00:00:00
attackerkb
attackerkb
MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
2012-06-12 00:00:00
metasploit
metasploit
MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
2012-06-13 16:33:26
cve
cve
CVE-2012-1875
2012-06-12 22:55:00
symantec
symantec
Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability
2012-06-12 00:00:00
thn
thn
Hackers Exploit Unpatched Windows XML vulnerability
2012-06-22 21:14:00
Latest Internet Explorer zero-day linked to Elderwood Project
2013-01-06 15:49:00
Latest Internet Explorer zero-day linked to Elderwood Project
2013-01-06 04:49:00
seebug
seebug
MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
2014-07-01 00:00:00
Microsoft Internet Explorer 8 Code Execution(CVE-2012-1875)
2012-06-14 00:00:00
exploitdb
exploitdb
Microsoft Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037) (Metasploit)
2012-06-14 00:00:00
openvas
openvas
Microsoft Internet Explorer Multiple Vulnerabilities (2699988)
2012-06-13 00:00:00
Microsoft Internet Explorer Multiple Vulnerabilities (2699988)
2012-06-13 00:00:00
nessus
nessus
MS12-037: Cumulative Security Update for Internet Explorer (2699988)
2012-06-13 00:00:00
mskb
mskb
MS12-037: Cumulative Security Update for Internet Explorer: June 12, 2012
2012-06-12 00:00:00
JSON
Related for SECURITYVULNS:DOC:28156
checkpoint_advisories1packetstorm1saint4prion1threatpost6securityvulns2attackerkb1metasploit1cve1symantec1thn4seebug2exploitdb1openvas2nessus1mskb1