Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free #2510

Merged
merged 4 commits into from Oct 13, 2013
Merged

Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free #2510

merged 4 commits into from Oct 13, 2013

Commits on Oct 12, 2013

  1. Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-A… 

    …fter-Free

This module exploits a vulnerability found in Microsoft Internet Explorer.
It was originally found being exploited in the wild targeting Japanese and
Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and
the vendor until the October patch release.

This issue is a use-after-free vulnerability in CDisplayPointer via the use of
a "onpropertychange" event handler. To setup the appropriate buggy conditions,
we first craft the DOM tree in a specific order, where a CBlockElement comes after
the CTextArea element. If we use a select() function for the CTextArea element,
two important things will happen: a CDisplayPointer object will be created for
CTextArea, and it will also trigger another event called "onselect". The "onselect"
event will allow us to setup for the actual event handler we want to abuse -
the "onpropertychange" event. Since the CBlockElement is a child of CTextArea,
if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange".  During "onpropertychange" event handling, a free of the
CDisplayPointer object can be forced by using an "Unslect" (other approaches
also apply), but a reference of this freed memory will still be kept by
CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position.
When this invalid reference arrives in QIClassID, a crash finally occurs due to
accessing the freed memory. By controling this freed memory, it is possible to
achieve arbitrary code execution under the context of the user.
    @wchen-r7
    wchen-r7 committed Oct 12, 2013
    Configuration menu
    Copy the full SHA
    79c612c View commit details
    Browse the repository at this point in the history

  2. Correct a typo in description

    @wchen-r7
    wchen-r7 committed Oct 12, 2013
    Configuration menu
    Copy the full SHA
    b139757 View commit details
    Browse the repository at this point in the history

  3. Make the GET params a little bit harder to read.

    @wchen-r7
    wchen-r7 committed Oct 12, 2013
    Configuration menu
    Copy the full SHA
    bc31776 View commit details
    Browse the repository at this point in the history

  4. Remove junk variables/params

    @wchen-r7
    wchen-r7 committed Oct 12, 2013
    1 Configuration menu
    Copy the full SHA
    9725918 View commit details
    Browse the repository at this point in the history