[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Two Remote Code Execution Vulnerabilities in Internet Explorer



#######################################################################
Vulnerability 1: Internet Explorer Select Element Remote Code Execution
#######################################################################

Original advisory:
http://ifsec.blogspot.com/2011/10/internet-explorer-select-element-remote.html

I. OVERVIEW

There is a vulnerability in Internet Explorer which enables execution
of arbitrary code if the user visits a web page controlled by the
attacker. The vulnerability is caused by incorrectly validating
integer parameter passed to the 'add' method of the Select HTML
element. This vulnerability has been observed in Internet Explorer 8.
The vulnerability has been patched by Microsoft on October 11, 2011.

II. THE BUG

The bug is caused by incorrectly validating integer parameter passed
to the 'add' method of the Select HTML element under certain
conditions. The 'add' method of the Select HTML element is used to add
an Option to the Select element. It accepts two parameters:
1. An Option object to be added
2. An integer, specifying the index of the new Option element
Under certain conditions, the second parameter is not properly
validated, which can lead to corrupting memory at arbitrary address
and, in turn, code execution.

III. IMPACT

The vulnerability can be used to execute arbitrary code in the context
of the currently logged in user if the user visits a specially crafted
web page. JavaScript needs to be enabled in order for the attacker to
be able to exploit the vulnerability (it is enabled by default in all
versions of Internet Explorer).

IV. PoC

A PoC exploit that demonstrates reliable code execution on Internet
Explorer 8 on Windows 7 SP1 has been developed. The release of the
exploit code is planned on a later date, once everyone has had plenty
of time to patch.
However, the description of the method that was used to bypass ASLR
and otherwise enable reliable code execution can be found here:
http://ifsec.blogspot.com/2011/06/memory-disclosure-technique-for.html

V. REFERENCES

http://ifsec.blogspot.com/2011/10/internet-explorer-select-element-remote.html
http://technet.microsoft.com/en-us/security/bulletin/ms11-081
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1999
http://www.zerodayinitiative.com/advisories/published/


#######################################################################
Vulnerability 2: Internet Explorer Option Element Remote Code Execution
#######################################################################

Original advisory:
http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html

I. OVERVIEW

There is a vulnerability in Internet Explorer which enables execution
of arbitrary code if the user visits a web page controlled by the
attacker. The vulnerability is caused by an use-after-free bug
triggered by accessing a previously deleted Option element. This
vulnerability has been observed in Internet Explorer versions 6, 7 and
8. The vulnerability has been patched by Microsoft on October 11,
2011.

II. THE BUG

In Internet Explorer, the implementation of Select HTML element
contains an array of pointers to the Option elements the Select
element contains. This array is called the Option cache. Normally,
whenever an Option element inside a Select element is accessed via
JavaScript, Option cache is rebuilt, thus ensuring its consistency.
However, there are some JavaScript methods that can be used to delete
and modify the Option elements contained inside the Select element
without rebuilding the Option cache. In combination, these methods
enable modifying a previously deleted Option element.

III. IMPACT

The vulnerability can be used to execute arbitrary code in the context
of the currently logged in user if the user visits a specially crafted
web page. JavaScript needs to be enabled in order for the attacker to
be able to exploit the vulnerability (it is enabled by default in all
versions of Internet Explorer).

IV. PoC

A PoC exploit that demonstrates code execution has been developed.
However, due to the severity of the vulnerability, release of the
exploit code is not planned at this time.

V. REFERENCES

http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html
http://technet.microsoft.com/en-us/security/bulletin/ms11-081
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1996
http://www.zerodayinitiative.com/advisories/published/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/