Lucene search

HistoryJun 17, 2012 - 12:00 a.m.

[CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution Vulnerability


[CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution

CVE ID: CVE-2012-1874

1 Affected Products

tested :Internet Explorer 9.0.8112.16421
also affected IE8

2 Vulnerability Details

Code Audit Labs has discovered a use after free
vulnerability in IE developer toolbar.

IE developer toolbar register a global console object, and add bulitin
members as
CFunctionPointer with reference to console object, but not add reference
count correctly.
if access console object's property, it return a CFunctionPointer, so it
cause a use after
free vulnerability, which can cause Remote Code Execution.

3 Analysis

asm in jsdbgui.dll

.text:1000B172 ; private: void __thiscall
.text:1000B172 ?AddAllBuiltinMembers@CConsole@@AAEXXZ proc near
.text:1000B172 ; CODE XREF:
ATL::CComObject<CConsole>::CreateInstance(ATL::CComObject<CConsole> *
.text:1000B172 var_10 = dword ptr -10h
.text:1000B172 var_4 = dword ptr -4
.text:1000B172 push 4
.text:1000B174 mov eax, offset loc_10039274
.text:1000B179 call __EH_prolog3
.text:1000B17E mov edi, ecx
.text:1000B180 push 4
.text:1000B182 pop esi
.text:1000B183 push esi ; dwBytes
.text:1000B184 call ??2@YAPAXI@Z ; operator new(uint)
.text:1000B189 pop ecx
.text:1000B18A mov [ebp+var_10], eax
.text:1000B18D and [ebp+var_4], 0
.text:1000B191 test eax, eax
.text:1000B193 jz short loc_1000B1A3
.text:1000B195 push offset aLog ; "log"
.text:1000B19A mov ecx, eax
.text:1000B19C call
const *)
.text:1000B1A1 jmp short loc_1000B1A5
.text:1000B1A3 ;

.text:1000B1A3 loc_1000B1A3: ; CODE XREF:
.text:1000B1A3 xor eax, eax
.text:1000B1A5 loc_1000B1A5: ; CODE XREF:
.text:1000B1A5 push eax
.text:1000B1A6 or ebx, 0FFFFFFFFh
.text:1000B1A9 push 1
.text:1000B1AB mov ecx, edi
.text:1000B1AD mov [ebp+var_4], ebx
.text:1000B1B0 call
.text:1000B1B5 push esi ; dwBytes

.text:10021E5B push [ebp+arg_0]
.text:10021E5E mov ecx, edi
.text:10021E60 push esi
.text:10021E61 call
?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z ;
CFunctionPointer::SetMethod(CParentExpando *,long)
.text:10021E66 push [ebp+var_10]
.text:10021E69 mov ecx, esi
.text:10021E6B push [ebp+arg_0]
.text:10021E6E call
?SetValue@CParentExpando@@IAEJJPAUIDispatch@@@Z ;
CParentExpando::SetValue(long,IDispatch *)
.text:10021E73 mov eax, [ebp+var_10]

.text:1001B29B ; public: void __thiscall
CFunctionPointer::SetMethod(class CParentExpando *, long)
.text:1001B29B ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z
proc near
.text:1001B29B ; CODE XREF:
.text:1001B29B arg_0 = dword ptr 8
.text:1001B29B arg_4 = dword ptr 0Ch
.text:1001B29B mov edi, edi
.text:1001B29D push ebp
.text:1001B29E mov ebp, esp
.text:1001B2A0 mov eax, [ebp+arg_0]
.text:1001B2A3 mov [ecx+8], eax
.text:1001B2A6 mov eax, [ebp+arg_4]
.text:1001B2A9 mov [ecx+0Ch], eax
.text:1001B2AC pop ebp
.text:1001B2AD retn 8
.text:1001B2AD ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z endp

4 Exploitable?

if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.

5 Crash info:

ModLoad: 00110000 001c8000 C:\Program Files (x86)\Internet
(1564.18e8): Access violation - code c0000005 (!!! second chance !!!)
eax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000
eip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0 nv up ei pl zr na
pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
088b0000 ?? ???
0:005> kb 3
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000
0365cbf0 5f69e657 0a1202d0 00000000 00000001
0365cc64 5f658fa8 0365cc90 0365cd48 00000008


2012/1/15 code audit labs of discover this issue
2012/1/20 we begin analyze
2012/2/20 we comfirmed this is an exploitable vulnerability. report to
2012/2/21 Microsoft reply got the report.
2012/6/14 Microsoft public this bulletin.

7 About Code Audit Labs:

Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"