The method for analysis is the same as was introduced in previous, CVE-2012-4792.
I’m poor at writing in English. 🙂
# Vulnerability Summary (취약점 요약):
- CVE # : CVE-2013-1347 (MS Security Advisory 2847140)
- Vulnerability Classification : user-after-free
- Related Object :mshtml!CGenericElement::CGenericElement (CGenericElement::CGenericElement::vftable)
- Affected System :IE8
# Vulnerability Analysis (취약점 분석):
“User-After-Free” is the vulnerability caused by dangling pointer.
Software allocates dynamic memory and creates an object. Then, it will refer to this object. But, because of the specific reason, this memory is freed. So the software crashes when using the already freed memory.
I’ll find the following 3 point :
- create (allocation)
- Free
- use
This analysis have done on the windows xp sp3 kr – ie8 ( disabled “online memory protection” option)
<그림>PoC code
1) Object Creation (Allocation)
The classobject “mshtml!CGenericElement::CGenericElement” is created.
In this position, the ECX register contains “003381a8” point to ‘mshtml!CGenericElement::CGenericElement::vftable’.
2) Object Free
The memory for mshtml!CGenericElement::`vftable’, 003381a8, is freed, after _free function executed in the “mshtml!CGenericElement::`scalar deleting destructor'”.
We find “Jscript!JsCollectGarbage function in the Callstack.
3) Object Use
The crash(access violation) caused by referring to the freed memory for “mshtml!CGenericElement::`vftable'”
##############
쿠하하하 ~
##############
