Attacker Value
Unknown
Microsoft Internet Explorer CCaret Use-After-Free
Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
Microsoft Internet Explorer CCaret Use-After-Free
(Last updated October 05, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Metasploit Module
Description
Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability.”
Add Assessment
1
Technical Analysis
This is from crash2, gflags enabled
Originally discovered by Corelanc0d3r, see:
https://www.corelan.be/index.php/2014/05/22/on-cve-2014-1770-zdi-14-140-internet-explorer-8-0day/
Note
This was kept private until an official patch was out from Microsoft
0:008> r eax=00000000 ebx=00000000 ecx=7c91003d edx=00155000 esi=0cc2ef38 edi=0cc2ef38 eip=63621339 esp=037cfb88 ebp=037cfba4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mshtml!CSelectionManager::EnsureEditContext+0x30: 63621339 837f1800 cmp dword ptr [edi+18h],0 ds:0023:0cc2ef50=???????? 0:008> !heap -p -a edi address 0cc2ef38 found in _DPH_HEAP_ROOT @ 151000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) c6bc350: cc2e000 2000 7c927553 ntdll!RtlFreeHeap+0x000000f9 6375bc86 mshtml!CSelectionManager::`vector deleting destructor'+0x00000022 6375b528 mshtml!CSelectionManager::Release+0x0000001e 6358c7b0 mshtml!CSelectionManager::DoPendingElementExit+0x00000211 6358c61b mshtml!CSelectionManager::DoPendingTasks+0x00000019 63621335 mshtml!CSelectionManager::EnsureEditContext+0x0000002c 6361c2bd mshtml!CHTMLEditor::Notify+0x0000005a 6361c270 mshtml!CHTMLEditorProxy::Notify+0x00000021 6360feb4 mshtml!CDoc::NotifySelection+0x00000059 63620f7f mshtml!CCaret::UpdateScreenCaret+0x000000dd 63784934 mshtml!CCaret::DeferredUpdateCaretScroll+0x00000032 6364de62 mshtml!GlobalWndOnMethodCall+0x000000fb 6363c3c5 mshtml!GlobalWndProc+0x00000183 7e418734 USER32!InternalCallWinProc+0x00000028 7e418816 USER32!UserCallWinProcCheckWow+0x00000150 7e4189cd USER32!DispatchMessageWorker+0x00000306
0:008> u mshtml!CSelectionManager::EnsureEditContext+0x30: 63621339 837f1800 cmp dword ptr [edi+18h],0 6362133d 0f8423a52300 je mshtml!CSelectionManager::EnsureEditContext+0x36 (6385b866) 63621343 5f pop edi 63621344 c3 ret 63621345 85c0 test eax,eax 63621347 7ddb jge mshtml!CSelectionManager::EnsureEditContext+0x16 (63621324) 63621349 ebf8 jmp mshtml!CSelectionManager::EnsureEditContext+0x3b (63621343) 6362134b 85c0 test eax,eax 0:008> k ChildEBP RetAddr 037cfb88 6361d930 mshtml!CSelectionManager::EnsureEditContext+0x30 037cfba4 6361c2bd mshtml!CSelectionManager::Notify+0x3a 037cfbb8 6361c270 mshtml!CHTMLEditor::Notify+0x5a 037cfbd4 6360feb4 mshtml!CHTMLEditorProxy::Notify+0x21 037cfbf0 63620f7f mshtml!CDoc::NotifySelection+0x59 037cfd14 63784934 mshtml!CCaret::UpdateScreenCaret+0xdd 037cfd24 6364de62 mshtml!CCaret::DeferredUpdateCaretScroll+0x32 037cfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb 037cfd78 7e418734 mshtml!GlobalWndProc+0x183 037cfda4 7e418816 USER32!InternalCallWinProc+0x28 037cfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150 037cfe6c 7e418a10 USER32!DispatchMessageWorker+0x306 037cfe7c 02562ec9 USER32!DispatchMessageW+0xf 037cfeec 025048bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 037cffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1 037cffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab 037cffec 00000000 kernel32!BaseThreadStart+0x37
Without gflags
0:008> r eax=41424344 ebx=03323060 ecx=7c91003d edx=00000014 esi=00234ec8 edi=0000000c eip=63620f82 esp=0201fc00 ebp=0201fd14 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286 mshtml!CCaret::UpdateScreenCaret+0xe0: 63620f82 8b08 mov ecx,dword ptr [eax] ds:0023:41424344=???????? 0:008> u mshtml!CCaret::UpdateScreenCaret+0xe0: 63620f82 8b08 mov ecx,dword ptr [eax] 63620f84 8d54246c lea edx,[esp+6Ch] 63620f88 52 push edx 63620f89 50 push eax 63620f8a ff512c call dword ptr [ecx+2Ch] 63620f8d 33ff xor edi,edi 63620f8f 397c246c cmp dword ptr [esp+6Ch],edi 63620f93 0f84669e2100 je mshtml!CCaret::UpdateScreenCaret+0xf3 (6383adff) 0:008> k ChildEBP RetAddr 0201fd14 63784934 mshtml!CCaret::UpdateScreenCaret+0xe0 0201fd24 6364de62 mshtml!CCaret::DeferredUpdateCaretScroll+0x32 0201fd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb 0201fd78 7e418734 mshtml!GlobalWndProc+0x183 0201fda4 7e418816 USER32!InternalCallWinProc+0x28 0201fe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150 0201fe6c 7e418a10 USER32!DispatchMessageWorker+0x306 0201fe7c 00cb2ec9 USER32!DispatchMessageW+0xf 0201feec 00c548bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461 0201ffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1 0201ffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab 0201ffec 00000000 kernel32!BaseThreadStart+0x37
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown
General Information
Vendors
- microsoft
Products
- internet explorer 6,
- internet explorer 7,
- internet explorer 8
Metasploit Modules
References
