Microsoft Internet Explorer 8 / 9 Toolbar Code Execution(CVE-2012-1874)

🗓️ 14 Jun 2012 00:00:00Reported by RootType

Microsoft Internet Explorer 8/9 Toolbar Code Execution(CVE-2012-1874) vulnerability found. Use after free vulnerability in IE developer toolbar allows for remote code execution

Reporter	Title	Published	Views	Family All 13
Check Point Advisories	Internet Explorer Developer Toolbar Remote Code Execution (MS12-037; CVE-2012-1874)	12 Jun 201200:00	–	checkpoint_advisories
CVE	CVE-2012-1874	12 Jun 201222:00	–	cve
Cvelist	CVE-2012-1874	12 Jun 201222:00	–	cvelist
Microsoft KB	MS12-037: Cumulative Security Update for Internet Explorer: June 12, 2012	12 Jun 201200:00	–	mskb
NVD	CVE-2012-1874	12 Jun 201222:55	–	nvd
OpenVAS	Microsoft Internet Explorer Multiple Vulnerabilities (2699988)	13 Jun 201200:00	–	openvas
OpenVAS	Microsoft Internet Explorer Multiple Vulnerabilities (2699988)	13 Jun 201200:00	–	openvas
Prion	Remote code execution	12 Jun 201222:55	–	prion
Positive Technologies	PT-2012-3615 · Microsoft · Internet Explorer	12 Jun 201200:00	–	ptsecurity
securityvulns	[CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution Vulnerability	17 Jun 201200:00	–	securityvulns


                                                [CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution Vulnerability

CVE ID: CVE-2012-1874
http://technet.microsoft.com/en-us/security/bulletin/ms12-037
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/


1 Affected Products
=================
tested :Internet Explorer 9.0.8112.16421
also affected IE8


2 Vulnerability Details
=====================
Code Audit Labs http://www.vulnhunt.com has discovered a use after free
vulnerability in IE developer toolbar.

IE developer toolbar register a global console object, and add bulitin
members as
CFunctionPointer with reference to console object, but not add reference
count correctly.
if access console object's property, it return a CFunctionPointer, so it
cause a use after
free vulnerability, which can cause Remote Code Execution.



3 Analysis
=========
asm in jsdbgui.dll

.text:1000B172 ; private: void __thiscall
CConsole::AddAllBuiltinMembers(void)
.text:1000B172 ?AddAllBuiltinMembers@CConsole@@AAEXXZ proc near
.text:1000B172                                         ; CODE XREF:
ATL::CComObject&lt;CConsole&gt;::CreateInstance(ATL::CComObject&lt;CConsole&gt; *
*)+62 p
.text:1000B172
.text:1000B172 var_10          = dword ptr -10h
.text:1000B172 var_4           = dword ptr -4
.text:1000B172
.text:1000B172                 push    4
.text:1000B174                 mov     eax, offset loc_10039274
.text:1000B179                 call    __EH_prolog3
.text:1000B17E                 mov     edi, ecx
.text:1000B180                 push    4
.text:1000B182                 pop     esi
.text:1000B183                 push    esi             ; dwBytes
.text:1000B184                 call    ??2@YAPAXI@Z    ; operator new(uint)
.text:1000B189                 pop     ecx
.text:1000B18A                 mov     [ebp+var_10], eax
.text:1000B18D                 and     [ebp+var_4], 0
.text:1000B191                 test    eax, eax
.text:1000B193                 jz      short loc_1000B1A3
.text:1000B195                 push    offset aLog     ; &quot;log&quot;
.text:1000B19A                 mov     ecx, eax
.text:1000B19C                 call
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QAE@PBG@Z
;
ATL::CStringT&lt;ushort,ATL::StrTraitATL&lt;ushort,ATL::ChTraitsCRT&lt;ushort&gt;&gt;&gt;::CStringT&lt;ushort,ATL::StrTraitATL&lt;ushort,ATL::ChTraitsCRT&lt;ushort&gt;&gt;&gt;(ushort
const *)
.text:1000B1A1                 jmp     short loc_1000B1A5
.text:1000B1A3 ;
---------------------------------------------------------------------------
.text:1000B1A3
.text:1000B1A3 loc_1000B1A3:                           ; CODE XREF:
CConsole::AddAllBuiltinMembers(void)+21 j
.text:1000B1A3                 xor     eax, eax
.text:1000B1A5
.text:1000B1A5 loc_1000B1A5:                           ; CODE XREF:
CConsole::AddAllBuiltinMembers(void)+2F j
.text:1000B1A5                 push    eax
.text:1000B1A6                 or      ebx, 0FFFFFFFFh
.text:1000B1A9                 push    1
.text:1000B1AB                 mov     ecx, edi
.text:1000B1AD                 mov     [ebp+var_4], ebx
.text:1000B1B0                 call
?AddBuiltinMethod@CParentExpando@@IAEXJPAV?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@@Z
;
CParentExpando::AddBuiltinMethod(long,ATL::CStringT&lt;ushort,ATL::StrTraitATL&lt;ushort,ATL::ChTraitsCRT&lt;ushort&gt;&gt;&gt;
*)
.text:1000B1B5                 push    esi             ; dwBytes

.text:10021E5B                 push    [ebp+arg_0]
.text:10021E5E                 mov     ecx, edi
.text:10021E60                 push    esi
.text:10021E61                 call
?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z ;
CFunctionPointer::SetMethod(CParentExpando *,long)
.text:10021E66                 push    [ebp+var_10]
.text:10021E69                 mov     ecx, esi
.text:10021E6B                 push    [ebp+arg_0]
.text:10021E6E                 call
?SetValue@CParentExpando@@IAEJJPAUIDispatch@@@Z ;
CParentExpando::SetValue(long,IDispatch *)
.text:10021E73                 mov     eax, [ebp+var_10]

.text:1001B29B ; public: void __thiscall
CFunctionPointer::SetMethod(class CParentExpando *, long)
.text:1001B29B ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z
proc near
.text:1001B29B                                         ; CODE XREF:
CParentExpando::AddBuiltinMethod(long,ATL::CStringT&lt;ushort,ATL::StrTraitATL&lt;ushort,ATL::ChTraitsCRT&lt;ushort&gt;&gt;&gt;
*)+4A p
.text:1001B29B
.text:1001B29B arg_0           = dword ptr  8
.text:1001B29B arg_4           = dword ptr  0Ch
.text:1001B29B
.text:1001B29B                 mov     edi, edi
.text:1001B29D                 push    ebp
.text:1001B29E                 mov     ebp, esp
.text:1001B2A0                 mov     eax, [ebp+arg_0]
.text:1001B2A3                 mov     [ecx+8], eax
.text:1001B2A6                 mov     eax, [ebp+arg_4]
.text:1001B2A9                 mov     [ecx+0Ch], eax
.text:1001B2AC                 pop     ebp
.text:1001B2AD                 retn    8
.text:1001B2AD ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z endp


4 Exploitable?
============
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.


5 Crash info:
===============
ModLoad: 00110000 001c8000   C:\Program Files (x86)\Internet
Explorer\iexplore.exe
(1564.18e8): Access violation - code c0000005 (!!! second chance !!!)
eax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000
edi=0365cc48
eip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0         nv up ei pl zr na
pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010246
088b0000 ??              ???
0:005&gt; kb 3
ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000
0365cbf0 5f69e657 0a1202d0 00000000 00000001
jsdbgui!CFunctionPointer::InvokeEx+0xbc
0365cc64 5f658fa8 0365cc90 0365cd48 00000008
jscript9!DispatchHelper::GetDispatchValue+0x9d


6 TIMELINE:
==========
2012/1/15 code audit labs of vulnhunt.com discover this issue
2012/1/20 we begin analyze
2012/2/20 we comfirmed this is an exploitable vulnerability. report to
Microsoft
2012/2/21 Microsoft reply got the report.
2012/6/14 Microsoft public this bulletin.


7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:&quot; You create value for customer,We protect your value&quot;
http://www.VulnHunt.com
http://blog.Vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/vulnhunt

14 Jun 2012 00:00Current

6.5Medium risk

Vulners AI Score6.5

EPSS0.24103