Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Microsoft Internet Explorer 9 CDoc::ExecuteScriptUri Use-After-Free

Related Vulnerabilities: CVE-2013-0019  
Publish Date: 04 Dec 2016
Author: SkyLined
Source 
                							

                Since November I have been releasing details on all vulnerabilities I
found in web-browsers that I had not released before. I will try to
continue to publish all my old vulnerabilities, including those not in
web-browser, as long as I can find some time to do so. If you find this
information useful, you can help me make some time available by donating
bitcoin to 183yyxa9s1s1f7JBpAPHPmzAQ346y91Rx5DX.

This is the twenty-fourth entry in the series. This information is
available in more detail on my blog at
http://blog.skylined.nl/20161202001.html. There you can find a repro
that triggered this issue in addition to the information below.

Today's release is interesting to me personally, as this was the first
bug I sold as a bug bounty hunter after I quit my job at Google to live
off security bug bounties. Unfortunately, this was quite some time ago,
before I had proper tools or incentive to analyze the issues I was
finding, so there aren't many details in this release.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 9 CDoc::ExecuteScriptUri use-after-free
==========================================
(MS13-009, CVE-2013-0019)

Synopsis
--------
A specially crafted web-page can trigger a use-after-free vulnerability
in Microsoft Internet Explorer 9. I did not investigate this
vulnerability thoroughly, so I cannot speculate on the potential impact
or exploitability.

Known affected software and attack vectors
------------------------------------------
* Microsoft Internet Explorer 9

  An attacker would need to get a target user to open a specially
  crafted web-page. Disabling JavaScript does not prevent an attacker
  from triggering the vulnerable code path.

Description
-----------
It appears I either did not analyze this issue (probably), or misplaced
my analysis (probably not), as I cannot find any details in my archives,
other than a repro and a HTML bug report created by a predecessor to
BugId (https://github.com/SkyLined/BugId).
From the information provided by ZDI in their advisory, and Microsoft in
their bulletin, as well as the bug report, it seems to have been a
use-after-free vulnerability. Unfortunately, that is all the analysis I
can provide.

Time-line
---------
* June 2012: This vulnerability was found through fuzzing.
* June 2012: This vulnerability was submitted to ZDI.
* July 2012: This vulnerability was acquired by ZDI.
* September 2012: This vulnerability was disclosed to Microsoft by ZDI.
* February 2013: Microsoft addresses this vulnerability in MS13-009.
* December 2016: Details of this vulnerability are released.

Cheers,

SkyLined


Repro.html

<iframe style="border:1px solid red;width:100%;height:100%;" name="iframe"></iframe>
<script>
    window.open("Repro.xml", "iframe");
    setATimeout(function () {
      window.open('javascript:void(location.href = "about:blank");', "iframe");
    }, 1000);
</script>

Repro.xml

<!DOCTYPE x PUBLIC "" "http://www.w3.org/TRt.dtd">
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started