9.3
CVSSv2

CVE-2013-3893

Published: 18/09/2013 Updated: 12/10/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 831
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote malicious users to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftInternet Explorer6, 7, 8, 9, 10, 11

Exploits

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking i ...

Mailing Lists

This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch ...
This Metasploit module exploits a use-after-free vulnerability that targets Internet Explorer 9 on Windows 7 The flaw most likely exists in versions 6/7/8/9/10/11 It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well The vulnerability is due to how the mshtml!CDoc::SetMouseCap ...

Metasploit Modules

MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventuall this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.

msf > use exploit/windows/browser/ie_setmousecapture_uaf
      msf exploit(ie_setmousecapture_uaf) > show targets
            ...targets...
      msf exploit(ie_setmousecapture_uaf) > set TARGET <target-id>
      msf exploit(ie_setmousecapture_uaf) > show options
            ...show and set options...
      msf exploit(ie_setmousecapture_uaf) > exploit

Github Repositories

BrowserSecurity 下载编译Chromium源码 IE8堆溢出漏洞CVE-2012-1876 CVE-2013-3893 IE UAF漏洞分析 Win10编译Chromium

XKungFoo-2013 XKungFoo 2013《IE 0day Analysis And Exploit》 主要通过对多个IE相关漏洞的分析与总结,向大家介绍像IE这样复杂、庞大并且无源码的应用软件在发生漏洞时,我们如何对其进行快速、深入并准确的分析。主要以两个IE 0day漏洞CVE-2013-3893和CVE-2013-3918来举例,通过实际的分析思路与步骤对

From noob to 0day developer Introduction the reason why I'm writting this kind of how-to become you into a exploit writer is because I was in the same boat as you , So I had to research link by link to find the right ones I call this kind of how-to course from noob to hero covering the basics of penetration testing to the hottest topic such as Sandbox Escape The inspirat

APT Notes This is a repository for various publicly-available documents and notes related to APT, sorted by year For malware sample hashes, please see the individual reports ARCHIVED! THIS REPO IS NOW MAINTAINED AT githubcom/aptnotes/data Please update your bookmarks This repo is backported only once in a while The new repo makes it easier for automation To add

Awesome Advanced Windows Exploitation References List of Awesome Advanced Windows Exploitation References This list is for anyone wishing to upgrade on their Windows Exploitation Knowledge Anyway, this is a living resources and will update regularly with latest research articles/talks of awesome researchers Kudos to all orignial authors of each research ref You can help by s

Awesome Advanced Windows Exploitation References List of Awesome Advanced Windows Exploitation References This list is for anyone wishing to upgrade on their Windows Exploitation Knowledge Anyway, this is a living resources and will update regularly with latest research articles/talks of awesome researchers Kudos to all orignial authors of each research ref You can help by s

APT Notes This is a repository for various publicly-available documents and notes related to APT, sorted by year For malware sample hashes, please see the individual reports ARCHIVED! THIS REPO IS NOW MAINTAINED AT githubcom/aptnotes/data Please update your bookmarks This repo is backported only once in a while The new repo makes it easier for automation To add

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly &amp; PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki threat-INTel targetedthreats Raw Threat Intel

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns 🤷The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly &amp; PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki

Exploit Development: Case Studies This repository is intended as a personal list of exploit development case studies I stumble upon during my work My categorization is not very granular — I'm skipping differentiation between user-mode and kernel-mode, as well as type of the software being exploited Exploit primitives are what's really important, therefore the

██╗ ██╗███████╗██╗ ██████╗ ███████╗██╗ ██╗██╗ ██║ ██║██╔════╝██║ ██╔══██╗██╔════╝██║ ██║██║ ███████║█████╗ ██║ ██████╔╝████

Recent Articles

Windows Crash Reports Used to Find Zero-Day Attacks
Threatpost • Michael Mimoso • 19 Feb 2014

Windows Error Reporting, also known as Dr. Watson reports, are Windows crash reports sent by default unencrypted to Microsoft, which uses them to fix bugs. The reports are rich with system data that Microsoft also uses to enhance user interaction with its products. Since, however, they are sent in clear text back to Redmond, they are also at risk for interception by hackers who can use the system data to blueprint potential vulnerabilities in order to ultimately exploit them.
While it may ...

New York Times hackers linked to Japan Ichitaro attacks
The Register • Phil Muncaster • 18 Nov 2013

Backdoors targeting government victims

Security experts have uncovered attacks exploiting a zero day vulnerability in Japan’s most popular word processing software, bearing all the hallmarks of a Chinese group blamed for last year's New York Times hack.
Ichitaro developer, JustSystems, announced a remote code execution vulnerability in multiple versions of the software last week.
Symantec has claimed, in a blog post, that it had already detected attacks in the wild attempting to exploit this vulnerability, which could l...

Happy 10th b-day, Patch Tuesday: TWO critical IE 0-day bugs, did you say?
The Register • John Leyden • 09 Oct 2013

A decade on, Microsoft pushes out 8 bulletins – half of 'em critical bug squishes

Microsoft delivered no fewer than eight bulletins to mark the tenth anniversary of Patch Tuesday, including a fix covering two zero-day vulnerabilities in Internet Explorer.
A critical patch for all supported versions of IE covers a well-anticipated fix for the CVE-2013-3893 vulnerability, which has been associated with cyber espionage-style attacks against targets in Japan, Taiwan and elsewhere in Asia since late August.
Microsoft also released a bonus extra fix for another in-the-w...

Microsoft Updates October 2013
Securelist • Kurt Baumgartner • 08 Oct 2013

Microsoft’s 2013 Treehouse of Horror Bulletins include a long list of fixes for memory corruption vulnerabilities effecting mostly previous versions of the software, and not the latest versions. Of immediate interest to most Windows users are the critical vulnerabilities being patched in Internet Explorer, multiple Windows drivers, and the .Net Framework which even effects the latest versions of Windows 8 and Windows Server 2012. Systems administrators at organizations also may pay immediate a...

October Patch Tuesday Fixes Critical IE Bugs, 28 Vulnerabilities
Threatpost • Chris Brook • 08 Oct 2013

As expected, Microsoft began shipping its latest batch of Patch Tuesday patches earlier this afternoon. However, while it was heavily presumed the update would fix at least one Internet Explorer zero day, the update actually fixes two critical vulnerabilities in the browser.
Eight bulletins — four critical — and 28 vulnerabilities in total are addressed by the update, the 10th anniversary release of the company’s popular flaw remediation program.
Naturally, at the top of the ...

Hang in there, Internet Explorer peeps: Gaping zero-day fix coming Tues
The Register • John Leyden • 04 Oct 2013

What a way to celebrate a DECADE of Patch Tuesday rollouts

Microsoft is preparing to close a wide-open security hole in Internet Explorer - a vulnerability state-backed spies are exploiting to mine organisations across Asia.
A update to fix the flaw is among four critical patches Redmond has lined up for the October edition of Patch Tuesday, due next week. Versions 6 through to 11 of the web browser are known to be vulnerable.
The use-after-free bug in Internet Explorer [CVE-2013-3893] allows attackers to execute arbitrary code on a victim's...

Internet Explorer vulnerability will finally be patched on Tuesday after “months” of attacks
welivesecurity • Rob Waugh • 04 Oct 2013

Internet Explorer users will be a great deal safer from Tuesday onwards, after Microsoft announced a patch for a vulnerability that has been exploited by attackers “for months” according to reports.
The  vulnerability has been used in targeted attacks against users in Japan and Taiwan, according to ComputerWorld, and experts feared that less-capable hackers would use the exploit after it was released as a module for the popular penetration-testing tool Metasploit.
The vulnerabil...

Targeted Exploit
Securelist • Anton Ivanov • 03 Oct 2013

In September Microsoft published information about a new Internet Explorer vulnerability – CVE-2013-3893. The vulnerability affects IE versions 6 through 11 for platforms from Windows XP through Windows 8.1. Later in September, the company released a patch closing the vulnerability.
Cybercriminals are happy to exploit such vulnerabilities because they are easy to monetize – the Internet Explorer remains popular.
This type of vulnerability is very dangerous because it allows t...

Here be dragons: Explorer “in dangerous territory” after public IE exploit release?
welivesecurity • Rob Waugh • 02 Oct 2013

An exploit for a vulnerability which affects all versions of Microsoft’s Internet Explorer has been released as a module for the popular penetration testing tool Metasploit – sparking fears of a new wave of attacks.
The open-source tool is used to test vulnerabilities, but Lucian Constantin of the IDG News Service said, “An exploit for a vulnerability that affects all versions of Internet Explorer and has yet to be patched by Microsoft has been integrated into the open-source Metaspl...

Hackers just POURING through unpatched Internet Explorer zero-day hole
The Register • John Leyden • 01 Oct 2013

Oh, sysadmins. It's so much worse than we feared – report

An as-yet-unpatched zero-day vulnerability affecting Internet Explorer is being abused much more widely than analysts had previously suspected.
The vulnerability first came to public attention last week with the Operation DeputyDog attacks against targets in Japan, as first reported by net security firm FireEye.
Websense, FireEye and AlienVault have since reported more malware-flinging campaigns exploiting this vulnerability. Several groups are using an exploit that takes advantage o...

Three New Attacks Using IE Zero-Day Exploit
Threatpost • Chris Brook • 01 Oct 2013

Attackers are continuing to pile on a critical Internet Explorer zero day that remains unpatched two weeks after it was reported.
During the last two weeks, it appears that at least three separate targeted attack campaigns have been using the same bug previously used by Operation Deputy Dog, a campaign that wound up compromising Japanese media outlets and tech systems in the middle of September.
Researchers at FireEye initially discovered the DeputyDog campaign – which leveraged th...

Metasploit Module Released for IE Zero Day
Threatpost • Michael Mimoso • 01 Oct 2013

It’s been 14 days since Microsoft issued an advisory and temporary mitigation for a zero-day vulnerability in Internet Explorer, one being actively exploited in the wild and called by some experts as severe a browser bug as you can have.
Yet users have since had little more to shield them from these active attacks than a Fix It tool released by Microsoft on Sept. 17. In the meantime, exploits have already taken down a number of Japanese media sites in a watering hole attack targeting gov...

DeputyDog attack targets latest IE zero day
The Register • Phil Muncaster • 23 Sep 2013

Bit9 attackers aim malware at Japanese 'entities'

Security researchers have spotted two new targeted attack campaigns aimed at organisations in Japan, China and elsewhere in Asia, one of which exploits a zero day exploit in Internet Explorer revealed only last week.
Operation DeputyDog is targeted at “entities in Japan”, using the IE vulnerability CVE-2013-3893 which Microsoft released an emergency patch for last Tuesday, according to security firm FireEye.
The payload for the attack, first detected by FireEye at the end of Augu...

Redmond slips out temporary emergency fix for IE 0-day
The Register • Richard Chirgwin • 17 Sep 2013

Remote code execution vuln

Stepping outside its normal Patch Tuesday cycle, Microsoft has rolled out an emergency fix to an Internet Explorer bug that was under active malware attack.
This advisory provides access to “Fix it For Me”, with a more detailed outline of the CVE-2013-3893 vulnerability here. All versions of IE 6 to 10 are affected.
As Microsoft writes, the vulnerability “exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocat...