Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Internet Explorer 8 Code Execution(CVE-2012-1875)

🗓️ 14 Jun 2012 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 54 Views

Microsoft Internet Explorer 8 Code Execution CVE-2012-187

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
14 Jun 201200:00
zdt
0day.today		MS12-037 Internet Explorer 8 Same ID Property Deleted Object Handling Memory Corruption
9 Feb 201300:00
zdt
ATTACKERKB		MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
12 Jun 201200:00
attackerkb
Circl		CVE-2012-1875
14 Jun 201200:00
circl
Check Point Advisories		Internet Explorer Same ID Property Remote Code Execution (MS12-037; CVE-2012-1875)
12 Jun 201200:00
checkpoint_advisories
CVE		CVE-2012-1875
12 Jun 201222:00
cve
Cvelist		CVE-2012-1875
12 Jun 201222:00
cvelist
Exploit DB		Microsoft Internet Explorer - Same ID Property Deleted Object Handling Memory Corruption (MS12-037) (Metasploit)
14 Jun 201200:00
exploitdb
Microsoft KB		MS12-037: Cumulative Security Update for Internet Explorer: June 12, 2012
12 Jun 201200:00
mskb
Metasploit		MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
13 Jun 201216:33
metasploit
Rows per page

                                                [CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution Vulnerability

CVE ID: CVE-2012-1875
http://technet.microsoft.com/en-us/security/bulletin/ms12-037
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/


1 Affected Products
=================
IE8
we tested£ºInternet Explorer 8.0.6001.18702


2 Vulnerability Details
======================

The vulnerability occurs when a img element and a div element have same
id property, when remove them, img
element is freed from memory, but CCollectionCache keep a reference to
it, so it cause a use after free
vulnerability, which can cause Remote Code Execution.



3 Analysis
===========
asm in mshtml.dll

bp mshtml!CCollectionCache::GetAtomFromName
when break if ecx points to a CImgElement, remember ecx
Breakpoint 0 hit
eax=03341301 ebx=033413e0 ecx=033413e0 edx=00000001 esi=0000030c
edi=016aa348
eip=3db74101 esp=016aa300 ebp=016aa350 iopl=0         nv up ei pl nz na
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000202
mshtml!CCollectionCache::GetAtomFromName:
3db74101 8bff            mov     edi,edi
0:008> dds ecx l4
033413e0  3dabe880 mshtml!CImgElement::`vftable'
033413e4  00000001
033413e8  00000008
033413ec  001a7ad0

0:008> bd 0
0:008> g
(2178.2120): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3db401b2 ebx=00000000 ecx=033413e0 edx=8bffff53 esi=033413e0
edi=016aa348
eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0         nv up ei pl zr na
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010246
8bffff53 ??              ???
0:008> kb
ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016aa2d8 3db56ce7 3db61cdb 80020003 033413e0 0x8bffff53
016aa2dc 3db61cdb 80020003 033413e0 016aa2fc mshtml!CElement::Doc+0x7
016aa2ec 3db74116 00000000 0000030c 016aa350
mshtml!CElement::GetAtomTable+0x10
016aa2fc 3dac2bc9 009af5ac 00000003 03341301
mshtml!CCollectionCache::GetAtomFromName+0x15
016aa350 3dae11bd 033414a0 009af5ac 00000003
mshtml!CCollectionCache::GetIntoAry+0x74
016aa394 3dae1cb5 0000000d 009af5ac 016aa480
mshtml!CCollectionCache::GetDispID+0x13e
016aa3a8 3dacfa5c 033414a0 0000000d 009af5ac
mshtml!DispatchGetDispIDCollection+0x3f
016aa3d0 3db61de3 0019adf0 009af5ac 10000003
mshtml!CElementCollectionBase::VersionedGetDispID+0x46
016aa410 3e374e18 0019aeb0 009af5ac 10000003 mshtml!PlainGetDispID+0xdc
016aa440 3e374d99 009af5ac 016aa480 0019aeb0
jscript!IDispatchExGetDispID+0xb7

mshtml!CElement::Doc:
3db56ce0 8b01            mov     eax,dword ptr [ecx]
3db56ce2 8b5070          mov     edx,dword ptr [eax+70h]
3db56ce5 ffd2            call    edx
3db56ce7 8b400c          mov     eax,dword ptr [eax+0Ch]


4 Exploitable?
============
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.

and we noticed that the exploitation attack in the wild.


5 Crash info:
===============
(2430.2450): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3db401b2 ebx=00000000 ecx=002455b8 edx=8bffff53 esi=002455b8
edi=016aa348
eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0         nv up ei pl zr na
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010246
8bffff53 ??              ???
0:008> kb
ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016aa2d8 3db56ce7 3db61cdb 80020003 002455b8 0x8bffff53
016aa2dc 3db61cdb 80020003 002455b8 016aa2fc mshtml!CElement::Doc+0x7
016aa2ec 3db74116 00000000 0000030c 016aa350
mshtml!CElement::GetAtomTable+0x10
016aa2fc 3dac2bc9 009af528 00000003 00245501
mshtml!CCollectionCache::GetAtomFromName+0x15
016aa350 3dae11bd 00245678 009af528 00000003
mshtml!CCollectionCache::GetIntoAry+0x74
016aa394 3dae1cb5 0000000d 009af528 016aa480
mshtml!CCollectionCache::GetDispID+0x13e
016aa3a8 3dacfa5c 00245678 0000000d 009af528
mshtml!DispatchGetDispIDCollection+0x3f
016aa3d0 3db61de3 033329c0 009af528 10000003
mshtml!CElementCollectionBase::VersionedGetDispID+0x46



6 TIMELINE:
==========
2012/2/15 Dark son request code audit labs to analyze a POC example
2012/2/15 we begin analyze
2012/2/20 we comfirmed this is an exploitable 0day. report to Microsoft
2012/2/21 Microsoft reply got the report.
2012/2/25 Microsoft begin to investigate
2012/3/1  Microsoft comfirmed this issue.
2012/6/14 Microsoft public this bulletin.


7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.Vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/vulnhunt

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Jun 2012 00:00Current
EPSS0.82181
internet explorer 8code executionvulnerabilityremote code executionccollectioncachememoryexploitationheap spray
54