[CAL-2012-0023]Microsoft IE Developer Toolbar Remote Code Execution
Vulnerability

CVE ID: CVE-2012-1874
http://technet.microsoft.com/en-us/security/bulletin/ms12-037
http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0023microsoft-ie-developer-toolbar-remote-code-execution-vulnerability/

1 Affected Products

tested :Internet Explorer 9.0.8112.16421
also affected IE8

2 Vulnerability Details

Code Audit Labs http://www.vulnhunt.com has discovered a use after free
vulnerability in IE developer toolbar.

IE developer toolbar register a global console object, and add bulitin
members as
CFunctionPointer with reference to console object, but not add reference
count correctly.
if access console object's property, it return a CFunctionPointer, so it
cause a use after
free vulnerability, which can cause Remote Code Execution.

3 Analysis

asm in jsdbgui.dll

.text:1000B172 ; private: void __thiscall
CConsole::AddAllBuiltinMembers(void)
.text:1000B172 ?AddAllBuiltinMembers@CConsole@@AAEXXZ proc near
.text:1000B172 ; CODE XREF:
ATL::CComObject<CConsole>::CreateInstance(ATL::CComObject<CConsole> *
*)+62p
.text:1000B172
.text:1000B172 var_10 = dword ptr -10h
.text:1000B172 var_4 = dword ptr -4
.text:1000B172
.text:1000B172 push 4
.text:1000B174 mov eax, offset loc_10039274
.text:1000B179 call __EH_prolog3
.text:1000B17E mov edi, ecx
.text:1000B180 push 4
.text:1000B182 pop esi
.text:1000B183 push esi ; dwBytes
.text:1000B184 call ??2@YAPAXI@Z ; operator new(uint)
.text:1000B189 pop ecx
.text:1000B18A mov [ebp+var_10], eax
.text:1000B18D and [ebp+var_4], 0
.text:1000B191 test eax, eax
.text:1000B193 jz short loc_1000B1A3
.text:1000B195 push offset aLog ; "log"
.text:1000B19A mov ecx, eax
.text:1000B19C call
??0?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@QAE@PBG@Z
;
ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>(ushort
const *)
.text:1000B1A1 jmp short loc_1000B1A5
.text:1000B1A3 ;

.text:1000B1A3
.text:1000B1A3 loc_1000B1A3: ; CODE XREF:
CConsole::AddAllBuiltinMembers(void)+21j
.text:1000B1A3 xor eax, eax
.text:1000B1A5
.text:1000B1A5 loc_1000B1A5: ; CODE XREF:
CConsole::AddAllBuiltinMembers(void)+2Fj
.text:1000B1A5 push eax
.text:1000B1A6 or ebx, 0FFFFFFFFh
.text:1000B1A9 push 1
.text:1000B1AB mov ecx, edi
.text:1000B1AD mov [ebp+var_4], ebx
.text:1000B1B0 call
?AddBuiltinMethod@CParentExpando@@IAEXJPAV?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@@Z
;
CParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>
*)
.text:1000B1B5 push esi ; dwBytes

.text:10021E5B push [ebp+arg_0]
.text:10021E5E mov ecx, edi
.text:10021E60 push esi
.text:10021E61 call
?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z ;
CFunctionPointer::SetMethod(CParentExpando *,long)
.text:10021E66 push [ebp+var_10]
.text:10021E69 mov ecx, esi
.text:10021E6B push [ebp+arg_0]
.text:10021E6E call
?SetValue@CParentExpando@@IAEJJPAUIDispatch@@@Z ;
CParentExpando::SetValue(long,IDispatch *)
.text:10021E73 mov eax, [ebp+var_10]

.text:1001B29B ; public: void __thiscall
CFunctionPointer::SetMethod(class CParentExpando *, long)
.text:1001B29B ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z
proc near
.text:1001B29B ; CODE XREF:
CParentExpando::AddBuiltinMethod(long,ATL::CStringT<ushort,ATL::StrTraitATL<ushort,ATL::ChTraitsCRT<ushort>>>
*)+4Ap
.text:1001B29B
.text:1001B29B arg_0 = dword ptr 8
.text:1001B29B arg_4 = dword ptr 0Ch
.text:1001B29B
.text:1001B29B mov edi, edi
.text:1001B29D push ebp
.text:1001B29E mov ebp, esp
.text:1001B2A0 mov eax, [ebp+arg_0]
.text:1001B2A3 mov [ecx+8], eax
.text:1001B2A6 mov eax, [ebp+arg_4]
.text:1001B2A9 mov [ecx+0Ch], eax
.text:1001B2AC pop ebp
.text:1001B2AD retn 8
.text:1001B2AD ?SetMethod@CFunctionPointer@@QAEXPAVCParentExpando@@J@Z endp

4 Exploitable?

if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.

5 Crash info:

ModLoad: 00110000 001c8000 C:\Program Files (x86)\Internet
Explorer\iexplore.exe
(1564.18e8): Access violation - code c0000005 (!!! second chance !!!)
eax=0a1202d0 ebx=0365cc90 ecx=0a0afc70 edx=6e1effff esi=00000000
edi=0365cc48
eip=088b0000 esp=0365cbd8 ebp=0365cbf0 iopl=0 nv up ei pl zr na
pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
088b0000 ?? ???
0:005> kb 3
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0365cbd4 6e1fb3ac 00000004 0365cc90 003a3718 0x88b0000
0365cbf0 5f69e657 0a1202d0 00000000 00000001
jsdbgui!CFunctionPointer::InvokeEx+0xbc
0365cc64 5f658fa8 0365cc90 0365cd48 00000008
jscript9!DispatchHelper::GetDispatchValue+0x9d

6 TIMELINE:

2012/1/15 code audit labs of vulnhunt.com discover this issue
2012/1/20 we begin analyze
2012/2/20 we comfirmed this is an exploitable vulnerability. report to
Microsoft
2012/2/21 Microsoft reply got the report.
2012/6/14 Microsoft public this bulletin.

7 About Code Audit Labs:

Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
http://blog.Vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/vulnhunt