Attacker Value

Unknown

Microsoft Internet Explorer CGenericElement Use-After-Free

Attacker Value

Unknown

(1 user assessed)

Exploitability

Unknown

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

Microsoft Internet Explorer CGenericElement Use-After-Free

Disclosure Date: May 05, 2013 •

CVE-2013-1347

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

Description

Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013.

Add Assessment

wchen-r7 (173)

September 12, 2019 6:07pm UTC (4 years ago)•Edited 3 years ago

Technical Analysis

— Allocating 0x4C bytes from InsertElementInternal: 0x0563cfb0


In 0x0563cfb0, offset+0 holds a reference to a mshtml!CGenericElement::`vftable':

eax=037cc598 ebx=037cc548 ecx=04a48d10 edx=633b5f09 esi=070eefa0 edi=037cc538
eip=633b5f09 esp=037cc4f8 ebp=037cc55c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
jscript!JsAtan2:
633b5f09 8bff mov edi,edi
0:008> dc 0x0563cfb0; .echo; dc poi(0x0563cfb0)
0563cfb0 06a99fc8 00000000 ffff0075 ffffffff ……..u…….
0563cfc0 00000071 00000000 00000000 00000000 q……………
0563cfd0 00000000 0563cfd8 00000152 00000001 ……c.R…….
0563cfe0 00000000 00000000 0563cfc0 00000000 ……….c…..
0563cff0 00000010 00000000 00000000 d0d0d0d0 …………….
0563d000 ???????? ???????? ???????? ???????? ????????????????
0563d010 ???????? ???????? ???????? ???????? ????????????????
0563d020 ???????? ???????? ???????? ???????? ????????????????

06a99fc8 635db4c8 00000001 00000008 07018fe8 ..]c…………
06a99fd8 049e8d80 00000000 80000075 80010000 ……..u…….
06a99fe8 00000006 0580afe8 06d9efec 00000000 …………….
06a99ff8 00000000 00000000 ???????? ???????? ……..????????
06a9a008 ???????? ???????? ???????? ???????? ????????????????
06a9a018 ???????? ???????? ???????? ???????? ????????????????
06a9a028 ???????? ???????? ???????? ???????? ????????????????
06a9a038 ???????? ???????? ???????? ???????? ????????????????
0:008> !heap -p -a poi(0x0563cfb0)

address 06a99fc8 found in
_DPH_HEAP_ROOT @ 151000
in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                             5087390:          6a99fc8               38 -          6a99000             2000
      mshtml!CGenericElement::`vftable'
7c918f01 ntdll!RtlAllocateHeap+0x00000e64
635db42e mshtml!CGenericElement::CreateElement+0x00000018
635a67f5 mshtml!CreateElement+0x00000043
637917c0 mshtml!CMarkup::CreateElement+0x000002de
63791929 mshtml!CDocument::CreateElementHelper+0x00000052
637918a2 mshtml!CDocument::createElement+0x00000021
635d3820 mshtml!Method_IDispatchpp_BSTR+0x000000d1
636430c9 mshtml!CBase::ContextInvokeEx+0x000005d1
63643595 mshtml!CBase::InvokeEx+0x00000025
63643832 mshtml!DispatchInvokeCollection+0x0000014b
635e1cdc mshtml!CDocument::InvokeEx+0x000000f1
63642f30 mshtml!CBase::VersionedInvokeEx+0x00000020
63642eec mshtml!PlainInvokeEx+0x000000ea
633a6d37 jscript!IDispatchExInvokeEx2+0x000000f8
633a6c75 jscript!IDispatchExInvokeEx+0x0000006a
633a9cfe jscript!InvokeDispatchEx+0x00000098



However, after garbage collecting, mshtml!CGenericElement::`vftable' is freed:

address 06a99fc8 found in
_DPH_HEAP_ROOT @ 151000
in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                5087390:          6a99000             2000
7c927553 ntdll!RtlFreeHeap+0x000000f9
636b52c6 mshtml!CGenericElement::`vector deleting destructor'+0x0000003d
63628a50 mshtml!CBase::SubRelease+0x00000022
63640d1b mshtml!CElement::PrivateRelease+0x00000029
6363d0ae mshtml!PlainRelease+0x00000025
63663c03 mshtml!PlainTrackerRelease+0x00000014
633a10b4 jscript!VAR::Clear+0x0000005c
6339fb4a jscript!GcContext::Reclaim+0x000000ab
6339fd33 jscript!GcContext::CollectCore+0x00000113
63405594 jscript!JsCollectGarbage+0x0000001d
633a92f7 jscript!NameTbl::InvokeInternal+0x00000137
633a6650 jscript!VAR::InvokeByDispID+0x0000017c
633a9c0b jscript!CScriptRuntime::Run+0x00002989
633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack+0x000000ff
633a59f7 jscript!ScrFncObj::Call+0x0000008f
633a5743 jscript!CSession::Execute+0x00000175

0:008> dc 0x0563cfb0; .echo; dc poi(0x0563cfb0)
0563cfb0 06a99fc8 00000000 ffff0075 ffffffff ……..u…….
0563cfc0 00000071 00000000 00000000 00000000 q……………
0563cfd0 00000000 0563cfd8 00000152 00000001 ……c.R…….
0563cfe0 00000000 00000000 0563cfc0 00000000 ……….c…..
0563cff0 00000010 00000000 00000000 d0d0d0d0 …………….
0563d000 ???????? ???????? ???????? ???????? ????????????????
0563d010 ???????? ???????? ???????? ???????? ????????????????
0563d020 ???????? ???????? ???????? ???????? ????????????????

06a99fc8 ???????? ???????? ???????? ???????? ????????????????
06a99fd8 ???????? ???????? ???????? ???????? ????????????????
06a99fe8 ???????? ???????? ???????? ???????? ????????????????
06a99ff8 ???????? ???????? ???????? ???????? ????????????????
06a9a008 ???????? ???????? ???????? ???????? ????????????????
06a9a018 ???????? ???????? ???????? ???????? ????????????????
06a9a028 ???????? ???????? ???????? ???????? ????????????????
06a9a038 ???????? ???????? ???????? ???????? ????????????????


You can see that the reference is still there.  When the page reloads, this ends up with a crash:

0:008> g
(5f4.2c0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=63aae200 ebx=0563cfb0 ecx=06a99fc8 edx=00000000 esi=037cf0b8 edi=00000000
eip=6363fcc4 esp=037cf08c ebp=037cf0a4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
mshtml!CElement::Doc:
6363fcc4 8b01 mov eax,dword ptr [ecx] ds:0023:06a99fc8=????????


Callstack at the time of the crash:

0:008> k
ChildEBP RetAddr
037cf1f8 63602718 mshtml!CElement::Doc
037cf214 636026a3 mshtml!CTreeNode::ComputeFormats+0xb9
037cf4c0 63612a85 mshtml!CTreeNode::ComputeFormatsHelper+0x44
037cf4d0 63612a45 mshtml!CTreeNode::GetFancyFormatIndexHelper+0x11
037cf4e0 63612a2c mshtml!CTreeNode::GetFancyFormatHelper+0xf
037cf4f0 63717f30 mshtml!CTreeNode::GetFancyFormat+0x35
037cf4fc 63717f4e mshtml!ISpanQualifier::GetFancyFormat+0x5a
037cf50c 63717afe mshtml!SLayoutRun::HasInlineMbp+0x10
037cf51c 63724f88 mshtml!SRunPointer::HasInlineMbp+0x53
037cf554 6373a5a1 mshtml!CLayoutBlock::GetIsEmptyContent+0xf1
037cf58c 6382ed01 mshtml!CLayoutBlock::GetIsEmptyContent+0x3f
037cf5d8 63702e23 mshtml!CBlockContainerBlock::BuildBlockContainer+0x250
037cf610 63708acf mshtml!CLayoutBlock::BuildBlock+0x1c1
037cf6d4 6370bd31 mshtml!CCssDocumentLayout::GetPage+0x22a
037cf844 63668184 mshtml!CCssPageLayout::CalcSizeVirtual+0x242
037cf97c 6368a1cb mshtml!CLayout::CalcSize+0x2b8
037cfa78 6374799d mshtml!CLayout::DoLayout+0x11d
037cfa8c 636514de mshtml!CCssPageLayout::Notify+0x140
037cfa98 636678c6 mshtml!NotifyElement+0x41
”`

Patch information:

Patch:
Do a mshtml!CLayoutBlock::RemoveChild in mshtml!CBlockContainerBlock::BuildBlockContainer before
the layout structure access. More information about this patch can be found here:

https://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx?Redirected=true

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

microsoft

Products

internet explorer 8

Metasploit Modules

exploit/windows/browser/ie_cgenericelement_uaf (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: March 07, 2022 5:45pm UTC (2 years ago)

References

Canonical

CVE-2013-1347 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347)

MS13-038 (https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-038)

Advisory

TA13-134A (http://www.us-cert.gov/ncas/alerts/TA13-134A)

Oval (https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16727)

Microsoft TechNet (http://technet.microsoft.com/security/advisory/2847140)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

EXPLOIT-DB-25294 (http://www.exploit-db.com/exploits/25294)

Rapid7

Unknown