Vulnerability & Exploit Database

Back to search

MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free

This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called "onselect". The "onselect" event will allow us to set up for the actual event handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer object can be forced by using an "Unselect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/windows/browser/ms13_080_cdisplaypointer

Authors

  • Unknown
  • sinn3r <sinn3r [at] metasploit.com>

References

Targets

  • Automatic
  • IE 7 on Windows XP SP3
  • IE 8 on Windows XP SP3
  • IE 8 on Windows 7

Platforms

  • windows

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/ms13_080_cdisplaypointer msf exploit(ms13_080_cdisplaypointer) > show targets ...targets... msf exploit(ms13_080_cdisplaypointer) > set TARGET <target-id> msf exploit(ms13_080_cdisplaypointer) > show options ...show and set options... msf exploit(ms13_080_cdisplaypointer) > exploit

Related Vulnerabilities