Published: 12/11/2013 Updated: 14/05/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 975
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

The InformationCardSigninHelper Class ActiveX control in icardie.dll in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote malicious users to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted web page that is accessed by Internet Explorer, as exploited in the wild in November 2013, aka "InformationCardSigninHelper Vulnerability."

Vulnerability Trend


## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' ...

Metasploit Modules

MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow

This module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field, counting the number of elements on the collection. By calling the remove() method on an empty CardSpaceClaimCollection it is possible to underflow the length field, storing a negative integer. Later, a call to the add() method will use the corrupted length field to compute the address where write into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents. This module achieves code execution by using VBScript as discovered in the wild on November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt one of the legit OBJECT elements with the described integer overflow and (5) achieve code execution by forcing the use of the corrupted OBJECT.

msf > use exploit/windows/browser/ms13_090_cardspacesigninhelper
      msf exploit(ms13_090_cardspacesigninhelper) > show targets
      msf exploit(ms13_090_cardspacesigninhelper) > set TARGET <target-id>
      msf exploit(ms13_090_cardspacesigninhelper) > show options
            ...show and set options...
      msf exploit(ms13_090_cardspacesigninhelper) > exploit

Github Repositories

XKungFoo-2013 XKungFoo 2013《IE 0day Analysis And Exploit》 主要通过对多个IE相关漏洞的分析与总结,向大家介绍像IE这样复杂、庞大并且无源码的应用软件在发生漏洞时,我们如何对其进行快速、深入并准确的分析。主要以两个IE 0day漏洞CVE-2013-3893和CVE-2013-3918来举例,通过实际的分析思路与步骤对

Recent Articles

Microsoft Updates November 2013 – Burning the 0day
Securelist • Kurt Baumgartner • 12 Nov 2013

Microsoft’s November 2013 Patch Tuesday delivers a set of three critical Bulletins and five Bulletins rated “important”. This month’s MS13-088 patches eight critical vulnerabilities and two important vulnerabilities in Internet Explorer. Overall, Microsoft is addressing 19 issues in Internet Explorer, Office and Windows itself.
The star of the show is MS13-090 which addresses CVE-2013-3918, an ActiveX vulnerability being attacked through Internet Explorer, revealed on the 8th by th...

Feeling twitchy about nasty IE 0-day? Microsoft promises relief today
The Register • John Leyden • 12 Nov 2013

Patch Tuesday offers balm for latest cyber-blight

An unpatched flaw in Internet Explorer that become the topic of a high-profile warning over the weekend will be patched later on Tuesday, Microsoft promises.
The CVE-2013-3918 vulnerability, affecting an Internet Explorer ActiveX Control, shipped up in active attacks detected by net security firm FireEye, sparking a high-profile warning.
The flaw has already been abused in a variety of attacks by a group linked to the Operation DeputyDog assaults against targets in Japan and China.