Microsoft Internet Explorer 8 / 9 Toolbar Code Execution(CVE-2012-1874)

2012-06-1400:00:00
Root
www.seebug.org
0.916 High
EPSS
Percentile
98.6%
JSON
No description provided by source.

                                                [CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution Vulnerability

CVE ID: CVE-2012-1874
http://technet.microsoft.com/en-us/security/bulletin/ms12-037
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/


1 Affected Products
=================
tested :Internet Explorer 9.0.8112.16421
also affected IE8


2 Vulnerability Details
=====================
Code Audit Labs http://www.vulnhunt.com has discovered a use after free
vulnerability in IE developer toolbar.

IE developer toolbar register a global console object, and add bulitin
members as
CFunctionPointer with reference to console object, but not add reference
count correctly.
if access console object's property, it return a CFunctionPointer, so it
cause a use after
free vulnerability, which can cause Remote Code Execution.



3 Analysis
=========
asm in jsdbgui.dll

.text:1000B172 ; private: void __thiscall
CConsole::AddAllBuiltinMembers(void)
.text:1000B172 ?AddAllBuiltinMembers@CConsole@@AAEXXZ proc near
.text:1000B172                                         ; CODE XREF:
ATL::CComObject&lt;CConsole&gt;::CreateInstance(ATL::CComObject&lt;CConsole&gt; *
*)+62 p
.text:1000B172
.text:1000B172 var_10          = dword ptr -10h
.text:1000B172 var_4           = dword ptr -4
.text:1000B172
.text:1000B172                 push    4
.text:1000B174                 mov     eax, offset loc_10039274
.text:1000B179                 call    __EH_prolog3
.text:1000B17E                 mov     edi, ecx
.text:1000B180                 push    4
.text:1000B182                 pop     esi
.text:1000B183                 push    esi             ; dwBytes
.text:1000B184                 call    ??2@YAPAXI@Z    ; operator new(uint)
.text:1000B189                 pop     ecx
.text:1000B18A                 mov     [ebp+var_10], eax
.text:1000B18D                 and     [ebp+var_4], 0
.text:1000B191                 test    eax, eax
.text:1000B193                 jz      short loc_1000B1A3
.text:1000B195                 push    offset aLog     ; &quot;log&quot;
.text:1000B19A                 mov     ecx, eax
.text:1000B19C                 call
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QAE@PBG@Z
;
ATL::CStringT&lt;ushort,ATL::StrTraitATL&lt;ushort,ATL::ChTraitsCRT&lt;ushort&gt;&gt;&gt;::CStringT&lt;ushort,ATL::StrTraitATL&lt;ushort,ATL::ChTraitsCRT&lt;ushort&gt;&gt;&gt;(ushort
const *)
.text:1000B1A1                 jmp     short loc_1000B1A5
.text:1000B1A3 ;
---------------------------------------------------------------------------
.text:1000B1A3
.text:1000B1A3 loc_1000B1A3:                           ; CODE XREF:
CConsole::AddAllBuiltinMembers(void)+21 j
.text:1000B1A3                 xor     eax, eax
.text:1000B1A5
.text:1000B1A5 loc_1000B1A5:                           ; CODE XREF:
CConsole::AddAllBuiltinMembers(void)+2F j
.text:1000B1A5                 push    eax
.text:1000B1A6                 or      ebx, 0FFFFFFFFh
.text:1000B1A9                 push    1
.text:1000B1AB                 mov     ecx, edi
.text:1000B1AD                 mov     [ebp+var_4], ebx
.text:1000B1B0                 call
?AddBuiltinMethod@CParentExpando@@IAEXJPAV?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@@Z
;
CParentExpando::AddBuiltinMethod(long,ATL::CStringT&lt;ushort,ATL::StrTraitATL&lt;ushort,ATL::ChTraitsCRT&lt;ushort&gt;&gt;&gt;
*)
.text:1000B1B5                 push    esi             ; dwBytes

.text:10021E5B                 push    [ebp+arg_0]
.text:10021E5E                 mov     ecx, edi
.text:10021E60                 push    esi
.text:10021E61                 call
?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z ;
CFunctionPointer::SetMethod(CParentExpando *,long)
.text:10021E66                 push    [ebp+var_10]
.text:10021E69                 mov     ecx, esi
.text:10021E6B                 push    [ebp+arg_0]
.text:10021E6E                 call
?SetValue@CParentExpando@@IAEJJPAUIDispatch@@@Z ;
CParentExpando::SetValue(long,IDispatch *)
.text:10021E73                 mov     eax, [ebp+var_10]

.text:1001B29B ; public: void __thiscall
CFunctionPointer::SetMethod(class CParentExpando *, long)
.text:1001B29B ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z
proc near
.text:1001B29B                                         ; CODE XREF:
CParentExpando::AddBuiltinMethod(long,ATL::CStringT&lt;ushort,ATL::StrTraitATL&lt;ushort,ATL::ChTraitsCRT&lt;ushort&gt;&gt;&gt;
*)+4A p
.text:1001B29B
.text:1001B29B arg_0           = dword ptr  8
.text:1001B29B arg_4           = dword ptr  0Ch
.text:1001B29B
.text:1001B29B                 mov     edi, edi
.text:1001B29D                 push    ebp
.text:1001B29E                 mov     ebp, esp
.text:1001B2A0                 mov     eax, [ebp+arg_0]
.text:1001B2A3                 mov     [ecx+8], eax
.text:1001B2A6                 mov     eax, [ebp+arg_4]
.text:1001B2A9                 mov     [ecx+0Ch], eax
.text:1001B2AC                 pop     ebp
.text:1001B2AD                 retn    8
.text:1001B2AD ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z endp


4 Exploitable?
============
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.


5 Crash info:
===============
ModLoad: 00110000 001c8000   C:\Program Files (x86)\Internet
Explorer\iexplore.exe
(1564.18e8): Access violation - code c0000005 (!!! second chance !!!)
eax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000
edi=0365cc48
eip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0         nv up ei pl zr na
pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010246
088b0000 ??              ???
0:005&gt; kb 3
ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000
0365cbf0 5f69e657 0a1202d0 00000000 00000001
jsdbgui!CFunctionPointer::InvokeEx+0xbc
0365cc64 5f658fa8 0365cc90 0365cd48 00000008
jscript9!DispatchHelper::GetDispatchValue+0x9d


6 TIMELINE:
==========
2012/1/15 code audit labs of vulnhunt.com discover this issue
2012/1/20 we begin analyze
2012/2/20 we comfirmed this is an exploitable vulnerability. report to
Microsoft
2012/2/21 Microsoft reply got the report.
2012/6/14 Microsoft public this bulletin.


7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:&quot; You create value for customer,We protect your value&quot;
http://www.VulnHunt.com
http://blog.Vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/vulnhunt
0.916 High
EPSS
Percentile
98.6%
JSON
Related for SSV:60215