CVE-2013-1347 IE CCenericElement zeroday 취약점 Reviewed by RedHidden on .   The method for analysis is the same as was introduced in previous, CVE-2012-4792. I'm poor at writing in English. :)   # Vulnerability Summary (취약점   The method for analysis is the same as was introduced in previous, CVE-2012-4792. I'm poor at writing in English. :)   # Vulnerability Summary (취약점 Rating: 0
You Are Here: Home » = Vuln(X) » CVE-2013-1347 IE CCenericElement zeroday 취약점

CVE-2013-1347 IE CCenericElement zeroday 취약점

CVE-2013-1347 IE CCenericElement zeroday 취약점

 

The method for analysis is the same as was introduced in previous, CVE-2012-4792.

I’m poor at writing in English. :)

 

# Vulnerability Summary (취약점 요약):

  • CVE # : CVE-2013-1347 (MS Security Advisory 2847140)
  • Vulnerability Classification : user-after-free
  • Related Object :mshtml!CGenericElement::CGenericElement (CGenericElement::CGenericElement::vftable)
  • Affected System :IE8

 

# Vulnerability Analysis (취약점 분석):

“User-After-Free” is the vulnerability caused by dangling pointer.

Software allocates dynamic memory and creates an object. Then, it will refer to this object. But, because of the specific reason, this memory is freed.  So the software crashes when using the already freed memory.

I’ll find the following 3 point :

  • create (allocation)
  • Free
  • use

 

This analysis have done on the windows xp sp3 kr – ie8 ( disabled “online memory protection” option)

 

<그림>PoC code

1)  Object Creation (Allocation)

The classobject “mshtml!CGenericElement::CGenericElement” is created.

In this position, the ECX register contains “003381a8″ point to ‘mshtml!CGenericElement::CGenericElement::vftable’.

 

 

2) Object Free

The memory for mshtml!CGenericElement::`vftable’, 003381a8, is freed, after _free function executed in the “mshtml!CGenericElement::`scalar deleting destructor’”.

We find “Jscript!JsCollectGarbage function in the Callstack.

 

3) Object Use

The crash(access violation) caused by referring to the freed memory for “mshtml!CGenericElement::`vftable’”

 

##############

쿠하하하 ~

##############


About The Author

Number of Entries : 21

Leave a Comment

Scroll to top