Unknown
Microsoft Internet Explorer CGenericElement Use-After-Free
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Microsoft Internet Explorer CGenericElement Use-After-Free
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013.
Add Assessment
Technical Analysis
— Allocating 0x4C bytes from InsertElementInternal: 0x0563cfb0
In 0x0563cfb0, offset+0 holds a reference to a mshtml!CGenericElement::`vftable':
eax=037cc598 ebx=037cc548 ecx=04a48d10 edx=633b5f09 esi=070eefa0 edi=037cc538
eip=633b5f09 esp=037cc4f8 ebp=037cc55c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
jscript!JsAtan2:
633b5f09 8bff mov edi,edi
0:008> dc 0x0563cfb0; .echo; dc poi(0x0563cfb0)
0563cfb0 06a99fc8 00000000 ffff0075 ffffffff ……..u…….
0563cfc0 00000071 00000000 00000000 00000000 q……………
0563cfd0 00000000 0563cfd8 00000152 00000001 ……c.R…….
0563cfe0 00000000 00000000 0563cfc0 00000000 ……….c…..
0563cff0 00000010 00000000 00000000 d0d0d0d0 …………….
0563d000 ???????? ???????? ???????? ???????? ????????????????
0563d010 ???????? ???????? ???????? ???????? ????????????????
0563d020 ???????? ???????? ???????? ???????? ????????????????
06a99fc8 635db4c8 00000001 00000008 07018fe8 ..]c…………
06a99fd8 049e8d80 00000000 80000075 80010000 ……..u…….
06a99fe8 00000006 0580afe8 06d9efec 00000000 …………….
06a99ff8 00000000 00000000 ???????? ???????? ……..????????
06a9a008 ???????? ???????? ???????? ???????? ????????????????
06a9a018 ???????? ???????? ???????? ???????? ????????????????
06a9a028 ???????? ???????? ???????? ???????? ????????????????
06a9a038 ???????? ???????? ???????? ???????? ????????????????
0:008> !heap -p -a poi(0x0563cfb0)
address 06a99fc8 found in _DPH_HEAP_ROOT @ 151000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 5087390: 6a99fc8 38 - 6a99000 2000 mshtml!CGenericElement::`vftable' 7c918f01 ntdll!RtlAllocateHeap+0x00000e64 635db42e mshtml!CGenericElement::CreateElement+0x00000018 635a67f5 mshtml!CreateElement+0x00000043 637917c0 mshtml!CMarkup::CreateElement+0x000002de 63791929 mshtml!CDocument::CreateElementHelper+0x00000052 637918a2 mshtml!CDocument::createElement+0x00000021 635d3820 mshtml!Method_IDispatchpp_BSTR+0x000000d1 636430c9 mshtml!CBase::ContextInvokeEx+0x000005d1 63643595 mshtml!CBase::InvokeEx+0x00000025 63643832 mshtml!DispatchInvokeCollection+0x0000014b 635e1cdc mshtml!CDocument::InvokeEx+0x000000f1 63642f30 mshtml!CBase::VersionedInvokeEx+0x00000020 63642eec mshtml!PlainInvokeEx+0x000000ea 633a6d37 jscript!IDispatchExInvokeEx2+0x000000f8 633a6c75 jscript!IDispatchExInvokeEx+0x0000006a 633a9cfe jscript!InvokeDispatchEx+0x00000098
However, after garbage collecting, mshtml!CGenericElement::`vftable' is freed:
eax=037cc598 ebx=037cc548 ecx=04a48d10 edx=633b5f09 esi=070eefa0 edi=037cc538
eip=633b5f09 esp=037cc4f8 ebp=037cc55c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
jscript!JsAtan2:
633b5f09 8bff mov edi,edi
0:008> !heap -p -a poi(0x0563cfb0)
address 06a99fc8 found in _DPH_HEAP_ROOT @ 151000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 5087390: 6a99000 2000 7c927553 ntdll!RtlFreeHeap+0x000000f9 636b52c6 mshtml!CGenericElement::`vector deleting destructor'+0x0000003d 63628a50 mshtml!CBase::SubRelease+0x00000022 63640d1b mshtml!CElement::PrivateRelease+0x00000029 6363d0ae mshtml!PlainRelease+0x00000025 63663c03 mshtml!PlainTrackerRelease+0x00000014 633a10b4 jscript!VAR::Clear+0x0000005c 6339fb4a jscript!GcContext::Reclaim+0x000000ab 6339fd33 jscript!GcContext::CollectCore+0x00000113 63405594 jscript!JsCollectGarbage+0x0000001d 633a92f7 jscript!NameTbl::InvokeInternal+0x00000137 633a6650 jscript!VAR::InvokeByDispID+0x0000017c 633a9c0b jscript!CScriptRuntime::Run+0x00002989 633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack+0x000000ff 633a59f7 jscript!ScrFncObj::Call+0x0000008f 633a5743 jscript!CSession::Execute+0x00000175
0:008> dc 0x0563cfb0; .echo; dc poi(0x0563cfb0)
0563cfb0 06a99fc8 00000000 ffff0075 ffffffff ……..u…….
0563cfc0 00000071 00000000 00000000 00000000 q……………
0563cfd0 00000000 0563cfd8 00000152 00000001 ……c.R…….
0563cfe0 00000000 00000000 0563cfc0 00000000 ……….c…..
0563cff0 00000010 00000000 00000000 d0d0d0d0 …………….
0563d000 ???????? ???????? ???????? ???????? ????????????????
0563d010 ???????? ???????? ???????? ???????? ????????????????
0563d020 ???????? ???????? ???????? ???????? ????????????????
06a99fc8 ???????? ???????? ???????? ???????? ????????????????
06a99fd8 ???????? ???????? ???????? ???????? ????????????????
06a99fe8 ???????? ???????? ???????? ???????? ????????????????
06a99ff8 ???????? ???????? ???????? ???????? ????????????????
06a9a008 ???????? ???????? ???????? ???????? ????????????????
06a9a018 ???????? ???????? ???????? ???????? ????????????????
06a9a028 ???????? ???????? ???????? ???????? ????????????????
06a9a038 ???????? ???????? ???????? ???????? ????????????????
You can see that the reference is still there. When the page reloads, this ends up with a crash:
0:008> g
(5f4.2c0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=63aae200 ebx=0563cfb0 ecx=06a99fc8 edx=00000000 esi=037cf0b8 edi=00000000
eip=6363fcc4 esp=037cf08c ebp=037cf0a4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
mshtml!CElement::Doc:
6363fcc4 8b01 mov eax,dword ptr [ecx] ds:0023:06a99fc8=????????
Callstack at the time of the crash:
0:008> k
ChildEBP RetAddr
037cf1f8 63602718 mshtml!CElement::Doc
037cf214 636026a3 mshtml!CTreeNode::ComputeFormats+0xb9
037cf4c0 63612a85 mshtml!CTreeNode::ComputeFormatsHelper+0x44
037cf4d0 63612a45 mshtml!CTreeNode::GetFancyFormatIndexHelper+0x11
037cf4e0 63612a2c mshtml!CTreeNode::GetFancyFormatHelper+0xf
037cf4f0 63717f30 mshtml!CTreeNode::GetFancyFormat+0x35
037cf4fc 63717f4e mshtml!ISpanQualifier::GetFancyFormat+0x5a
037cf50c 63717afe mshtml!SLayoutRun::HasInlineMbp+0x10
037cf51c 63724f88 mshtml!SRunPointer::HasInlineMbp+0x53
037cf554 6373a5a1 mshtml!CLayoutBlock::GetIsEmptyContent+0xf1
037cf58c 6382ed01 mshtml!CLayoutBlock::GetIsEmptyContent+0x3f
037cf5d8 63702e23 mshtml!CBlockContainerBlock::BuildBlockContainer+0x250
037cf610 63708acf mshtml!CLayoutBlock::BuildBlock+0x1c1
037cf6d4 6370bd31 mshtml!CCssDocumentLayout::GetPage+0x22a
037cf844 63668184 mshtml!CCssPageLayout::CalcSizeVirtual+0x242
037cf97c 6368a1cb mshtml!CLayout::CalcSize+0x2b8
037cfa78 6374799d mshtml!CLayout::DoLayout+0x11d
037cfa8c 636514de mshtml!CCssPageLayout::Notify+0x140
037cfa98 636678c6 mshtml!NotifyElement+0x41
”`
Patch information:
Patch:
Do a mshtml!CLayoutBlock::RemoveChild in mshtml!CBlockContainerBlock::BuildBlockContainer before
the layout structure access. More information about this patch can be found here:
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- internet explorer 8
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: