lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Jun 2012 11:01:10 +0800
From: Code Audit Labs <>
Subject: [CAL-2012-0023]Microsoft IE Developer Toolbar
 Remote Code Execution Vulnerability

[CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution

CVE ID: CVE-2012-1874

1 Affected Products
tested :Internet Explorer 9.0.8112.16421
also affected IE8

2 Vulnerability Details
Code Audit Labs has discovered a use after free
vulnerability in IE developer toolbar.

IE developer toolbar register a global console object, and add bulitin
members as
CFunctionPointer with reference to console object, but not add reference
count correctly.
if access console object's property, it return a CFunctionPointer, so it
cause a use after
free vulnerability, which can cause Remote Code Execution.

3 Analysis
asm in jsdbgui.dll

.text:1000B172 ; private: void __thiscall
.text:1000B172 ?AddAllBuiltinMembers@...nsole@@AAEXXZ proc near
.text:1000B172                                         ; CODE XREF:
ATL::CComObject<CConsole>::CreateInstance(ATL::CComObject<CConsole> *
.text:1000B172 var_10          = dword ptr -10h
.text:1000B172 var_4           = dword ptr -4
.text:1000B172                 push    4
.text:1000B174                 mov     eax, offset loc_10039274
.text:1000B179                 call    __EH_prolog3
.text:1000B17E                 mov     edi, ecx
.text:1000B180                 push    4
.text:1000B182                 pop     esi
.text:1000B183                 push    esi             ; dwBytes
.text:1000B184                 call    ??2@...AXI@Z    ; operator new(uint)
.text:1000B189                 pop     ecx
.text:1000B18A                 mov     [ebp+var_10], eax
.text:1000B18D                 and     [ebp+var_4], 0
.text:1000B191                 test    eax, eax
.text:1000B193                 jz      short loc_1000B1A3
.text:1000B195                 push    offset aLog     ; "log"
.text:1000B19A                 mov     ecx, eax
.text:1000B19C                 call
const *)
.text:1000B1A1                 jmp     short loc_1000B1A5
.text:1000B1A3 ;
.text:1000B1A3 loc_1000B1A3:                           ; CODE XREF:
.text:1000B1A3                 xor     eax, eax
.text:1000B1A5 loc_1000B1A5:                           ; CODE XREF:
.text:1000B1A5                 push    eax
.text:1000B1A6                 or      ebx, 0FFFFFFFFh
.text:1000B1A9                 push    1
.text:1000B1AB                 mov     ecx, edi
.text:1000B1AD                 mov     [ebp+var_4], ebx
.text:1000B1B0                 call
.text:1000B1B5                 push    esi             ; dwBytes

.text:10021E5B                 push    [ebp+arg_0]
.text:10021E5E                 mov     ecx, edi
.text:10021E60                 push    esi
.text:10021E61                 call
?SetMethod@...nctionPointer@@QAEXPAVCParentExpando@@J@Z ;
CFunctionPointer::SetMethod(CParentExpando *,long)
.text:10021E66                 push    [ebp+var_10]
.text:10021E69                 mov     ecx, esi
.text:10021E6B                 push    [ebp+arg_0]
.text:10021E6E                 call
?SetValue@...rentExpando@@IAEJJPAUIDispatch@@@Z ;
CParentExpando::SetValue(long,IDispatch *)
.text:10021E73                 mov     eax, [ebp+var_10]

.text:1001B29B ; public: void __thiscall
CFunctionPointer::SetMethod(class CParentExpando *, long)
.text:1001B29B ?SetMethod@...nctionPointer@@QAEXPAVCParentExpando@@J@Z
proc near
.text:1001B29B                                         ; CODE XREF:
.text:1001B29B arg_0           = dword ptr  8
.text:1001B29B arg_4           = dword ptr  0Ch
.text:1001B29B                 mov     edi, edi
.text:1001B29D                 push    ebp
.text:1001B29E                 mov     ebp, esp
.text:1001B2A0                 mov     eax, [ebp+arg_0]
.text:1001B2A3                 mov     [ecx+8], eax
.text:1001B2A6                 mov     eax, [ebp+arg_4]
.text:1001B2A9                 mov     [ecx+0Ch], eax
.text:1001B2AC                 pop     ebp
.text:1001B2AD                 retn    8
.text:1001B2AD ?SetMethod@...nctionPointer@@QAEXPAVCParentExpando@@J@Z endp

4 Exploitable?
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.

5 Crash info:
ModLoad: 00110000 001c8000   C:\Program Files (x86)\Internet
(1564.18e8): Access violation - code c0000005 (!!! second chance !!!)
eax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000
eip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0         nv up ei pl zr na
pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
088b0000 ??              ???
0:005> kb 3
ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000
0365cbf0 5f69e657 0a1202d0 00000000 00000001
0365cc64 5f658fa8 0365cc90 0365cd48 00000008

2012/1/15 code audit labs of discover this issue
2012/1/20 we begin analyze
2012/2/20 we comfirmed this is an exploitable vulnerability. report to
2012/2/21 Microsoft reply got the report.
2012/6/14 Microsoft public this bulletin.

7 About Code Audit Labs:
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists