Exploitalert - Database of Exploits

Microsoft Internet Explorer 9 MSHTML CAttrArray Use-After-Free

CVE	Category	Price	Severity
CVE-2014-4141	CWE-416	Unknown	High

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2016-11-01

CPE
cpe:cpe:/a:microsoft:internet_explorer:9.0.0

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope		S	An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2016110016

Microsoft Internet Explorer 9 MSHTML CAttrArray Use-After-FreeThroughout November, I plan to release details on vulnerabilities I found in web-browsers which I've not released before. This is the first entry in that series. The below information is also available on my blog at http://blog.skylined.nl/20161101001.html. There you can find a repro that triggered this issue in addition to the information below. Follow me on twitter.com/berendjanwever for daily browser bugs. MSIE 9 MSHTML CAttrArray use-after-free ======================================= (MS14-056, CVE-2014-4141) Synopsis -------- A specially crafted webpage can cause Microsoft Internet Explorer to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer. Known affected versions, attack vectors and mitigations ------------------------------------------------------- + Microsoft Internet Explorer 9 An attacker would need to get a target user to open a specially crafted webpage. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path. Analysis -------- The CAttrArray object initially allocates a CImplAry buffer of 0x40 bytes, which can store 4 attributes. When the buffer is full, it is grown to 0x60 bytes. A new buffer is allocated at a different location in memory and the contents of the original buffer is copied there. The repro causes the code to do this, but the code continues to access the original buffer after it has been freed. Exploit ------- If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself. Timeline -------- * April 2014: This vulnerability was found through fuzzing. * July 2014: This vulnerability was submitted to [ZDI][]. * July 2014: ZDI reports a collision with a report by another researcher. (From the credits given by Microsoft and ZDI, I surmise that it was Peter 'corelanc0d3r' Van Eeckhoutte of Corelan who reported this issue. * October 2014: Microsoft release MS14-056, which addresses this issue. * November 2016: Details of this issue are released. Cheers, SkyLined

Impressum