New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add MS13-055 Internet Explorer Use-After-Free Vulnerability #2337
Conversation
In IE8 standards mode, it's possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement's outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it's trying to make a call to the object's SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user. This bug is specific to Internet Explorer 8 only. It was originally discovered by Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update, so no CVE as of now.
Processing... |
Is it using hard tabs still? Looks like yes on my editor :? If yes, please, switch to soft tabs, also please switch this pr by using the instructions at: https://github.com/rapid7/metasploit-framework/wiki/Indentation-Standards If it isn't using hard tabs, then there is something weird on my editor configuration and I need to check :S sorry in that case |
Working on W7 / IE8:
|
'Payload' => | ||
{ | ||
'BadChars' => "\x00", | ||
'StackAdjustment' => -3500 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like it shouldn't be needed because get_payload() is adding the stack adjustment code by itself
Thanks! Processing again! |
Tested on XP SP3 and Win 7 SP1:
Some reliability issues with XP SP3 on first shots, did several tests, and looks good enough for me to go:
landing |
well i have been taking a look on https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf and this stack trace sounds familiar for me: CVE-2013-3163. A bug discovered and reported on Oct, 2012. So it was not silently patched and has its cve :) Nice exploit btw ;) |
Thanks yenteasy! I'm glad you told me this, because it was really painful to verify the actual CVE. Nobody else knows for sure which one. I will do another pull request to update the module, thanks! |
Update info about original discovoery. See rapid7#2337 too.
You're welcome. yea, that's right, since MS is using the same title (memory corruption) for all the bugs. Regards, |
That'd be great. Please feel free to e-mail to either wei_chen[at].rapid7.com, or sinn3r[at]metasploit.com. Thanks! |
In IE8 standards mode, it's possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement's outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it's trying to make a call to the object's SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user.
This bug is specific to Internet Explorer 8 only. It was originally discovered by Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update, so no CVE as of now.
Special thanks to Peter Vreugdenhil for the involvement.
Demo against XP & Win 7: