Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MS13-055 Internet Explorer Use-After-Free Vulnerability #2337

Merged
merged 4 commits into from
Sep 9, 2013
Merged

Add MS13-055 Internet Explorer Use-After-Free Vulnerability #2337

merged 4 commits into from
Sep 9, 2013

Commits on Sep 9, 2013

  1. Add MS13-055 Internet Explorer Use-After-Free Vulnerability 

    In IE8 standards mode, it's possible to cause a use-after-free condition by first
creating an illogical table tree, where a CPhraseElement comes after CTableRow,
with the final node being a sub table element. When the CPhraseElement's outer
content is reset by using either outerText or outerHTML through an event handler,
this triggers a free of its child element (in this case, a CAnchorElement, but
some other objects apply too), but a reference is still kept in function
SRunPointer::SpanQualifier. This function will then pass on the invalid reference
to the next functions, eventually used in mshtml!CElement::Doc when it's trying to
make a call to the object's SecurityContext virtual function at offset +0x70, which
results a crash. An attacker can take advantage of this by first creating an
CAnchorElement object, let it free, and then replace the freed memory with another
fake object. Successfully doing so may allow arbitrary code execution under the
context of the user.

This bug is specific to Internet Explorer 8 only. It was originally discovered by
Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update, so
no CVE as of now.
    @wchen-r7
    wchen-r7 committed Sep 9, 2013
    Configuration menu
    Copy the full SHA
    c3db413 View commit details
    Browse the repository at this point in the history

  2. Not from the future

    @wchen-r7
    wchen-r7 committed Sep 9, 2013
    Configuration menu
    Copy the full SHA
    992bdcf View commit details
    Browse the repository at this point in the history

  3. Less alignment

    @wchen-r7
    wchen-r7 committed Sep 9, 2013
    Configuration menu
    Copy the full SHA
    6ab905e View commit details
    Browse the repository at this point in the history

  4. Retabbed 

    One kills a man, one is an assassin; one kills millions, one is a
conqueror; one kills a tab, one is a Metasploit dev.
    @wchen-r7
    wchen-r7 committed Sep 9, 2013
    Configuration menu
    Copy the full SHA
    0ee0168 View commit details
    Browse the repository at this point in the history