lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4FD80276.3000704@gmail.com>
Date: Wed, 13 Jun 2012 11:01:10 +0800
From: Code Audit Labs <vulnhunt@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution
 Vulnerability

[CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution
Vulnerability


CVE ID: CVE-2012-1874
http://technet.microsoft.com/en-us/security/bulletin/ms12-037
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/


1 Affected Products
=================
tested :Internet Explorer 9.0.8112.16421
also affected IE8


2 Vulnerability Details
=====================
Code Audit Labs http://www.vulnhunt.com has discovered a use after free
vulnerability in IE developer toolbar.

IE developer toolbar register a global console object, and add bulitin
members as
CFunctionPointer with reference to console object, but not add reference
count correctly.
if access console object's property, it return a CFunctionPointer, so it
cause a use after
free vulnerability, which can cause Remote Code Execution.



3 Analysis
=========
asm in jsdbgui.dll

.text:1000B172 ; private: void __thiscall
CConsole::AddAllBuiltinMembers(void)
.text:1000B172 ?AddAllBuiltinMembers@...nsole@@AAEXXZ proc near
.text:1000B172                                         ; CODE XREF:
ATL::CComObject<CConsole>::CreateInstance(ATL::CComObject<CConsole> *
*)+62.p
.text:1000B172
.text:1000B172 var_10          = dword ptr -10h
.text:1000B172 var_4           = dword ptr -4
.text:1000B172
.text:1000B172                 push    4
.text:1000B174                 mov     eax, offset loc_10039274
.text:1000B179                 call    __EH_prolog3
.text:1000B17E                 mov     edi, ecx
.text:1000B180                 push    4
.text:1000B182                 pop     esi
.text:1000B183                 push    esi             ; dwBytes
.text:1000B184                 call    ??2@...AXI@Z    ; operator new(uint)
.text:1000B189                 pop     ecx
.text:1000B18A                 mov     [ebp+var_10], eax
.text:1000B18D                 and     [ebp+var_4], 0
.text:1000B191                 test    eax, eax
.text:1000B193                 jz      short loc_1000B1A3
.text:1000B195                 push    offset aLog     ; "log"
.text:1000B19A                 mov     ecx, eax
.text:1000B19C                 call
??0?$CStringT@...$StrTraitATL@...$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QAE@PBG@Z
;
ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>(ushort
const *)
.text:1000B1A1                 jmp     short loc_1000B1A5
.text:1000B1A3 ;
---------------------------------------------------------------------------
.text:1000B1A3
.text:1000B1A3 loc_1000B1A3:                           ; CODE XREF:
CConsole::AddAllBuiltinMembers(void)+21.j
.text:1000B1A3                 xor     eax, eax
.text:1000B1A5
.text:1000B1A5 loc_1000B1A5:                           ; CODE XREF:
CConsole::AddAllBuiltinMembers(void)+2F.j
.text:1000B1A5                 push    eax
.text:1000B1A6                 or      ebx, 0FFFFFFFFh
.text:1000B1A9                 push    1
.text:1000B1AB                 mov     ecx, edi
.text:1000B1AD                 mov     [ebp+var_4], ebx
.text:1000B1B0                 call
?AddBuiltinMethod@...rentExpando@@IAEXJPAV?$CStringT@...$StrTraitATL@...$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@@Z
;
CParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>
*)
.text:1000B1B5                 push    esi             ; dwBytes

.text:10021E5B                 push    [ebp+arg_0]
.text:10021E5E                 mov     ecx, edi
.text:10021E60                 push    esi
.text:10021E61                 call
?SetMethod@...nctionPointer@@QAEXPAVCParentExpando@@J@Z ;
CFunctionPointer::SetMethod(CParentExpando *,long)
.text:10021E66                 push    [ebp+var_10]
.text:10021E69                 mov     ecx, esi
.text:10021E6B                 push    [ebp+arg_0]
.text:10021E6E                 call
?SetValue@...rentExpando@@IAEJJPAUIDispatch@@@Z ;
CParentExpando::SetValue(long,IDispatch *)
.text:10021E73                 mov     eax, [ebp+var_10]

.text:1001B29B ; public: void __thiscall
CFunctionPointer::SetMethod(class CParentExpando *, long)
.text:1001B29B ?SetMethod@...nctionPointer@@QAEXPAVCParentExpando@@J@Z
proc near
.text:1001B29B                                         ; CODE XREF:
CParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>
*)+4A.p
.text:1001B29B
.text:1001B29B arg_0           = dword ptr  8
.text:1001B29B arg_4           = dword ptr  0Ch
.text:1001B29B
.text:1001B29B                 mov     edi, edi
.text:1001B29D                 push    ebp
.text:1001B29E                 mov     ebp, esp
.text:1001B2A0                 mov     eax, [ebp+arg_0]
.text:1001B2A3                 mov     [ecx+8], eax
.text:1001B2A6                 mov     eax, [ebp+arg_4]
.text:1001B2A9                 mov     [ecx+0Ch], eax
.text:1001B2AC                 pop     ebp
.text:1001B2AD                 retn    8
.text:1001B2AD ?SetMethod@...nctionPointer@@QAEXPAVCParentExpando@@J@Z endp


4 Exploitable?
============
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.


5 Crash info:
===============
ModLoad: 00110000 001c8000   C:\Program Files (x86)\Internet
Explorer\iexplore.exe
(1564.18e8): Access violation - code c0000005 (!!! second chance !!!)
eax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000
edi=0365cc48
eip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0         nv up ei pl zr na
pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010246
088b0000 ??              ???
0:005> kb 3
ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000
0365cbf0 5f69e657 0a1202d0 00000000 00000001
jsdbgui!CFunctionPointer::InvokeEx+0xbc
0365cc64 5f658fa8 0365cc90 0365cd48 00000008
jscript9!DispatchHelper::GetDispatchValue+0x9d


6 TIMELINE:
==========
2012/1/15 code audit labs of vulnhunt.com discover this issue
2012/1/20 we begin analyze
2012/2/20 we comfirmed this is an exploitable vulnerability. report to
Microsoft
2012/2/21 Microsoft reply got the report.
2012/6/14 Microsoft public this bulletin.


7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.Vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/vulnhunt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ