Wednesday, October 12, 2011

Internet Explorer Select Element Remote Code Execution

Overview

There is a vulnerability in Internet Explorer which enables execution of arbitrary code if the user visits a web page controlled by the attacker. The vulnerability is caused by incorrectly validating integer parameter passed to the 'add' method of the Select HTML element. This vulnerability has been observed in Internet Explorer 8. The vulnerability has been patched by Microsoft on October 11, 2011.

The bug

The bug is caused by incorrectly validating integer parameter passed to the 'add' method of the Select HTML element under certain conditions. The 'add' method of the Select HTML element is used to add an Option to the Select element. It accepts two parameters:
1. An Option object to be added
2. An integer, specifying the index of the new Option element
Under certain conditions, the second parameter is not properly validated, which can lead to corrupting memory at arbitrary address and, in turn, code execution.

Impact

The vulnerability can be used to execute arbitrary code in the context of the currently logged in user if the user visits a specially crafted web page. JavaScript needs to be enabled in order for the attacker to be able to exploit the vulnerability (it is enabled by default in all versions of Internet Explorer).

PoC

A PoC exploit that demonstrates reliable code execution on Internet Explorer 8 on Windows 7 SP1 has been developed. The release of the exploit code is planned on a later date, once everyone has had plenty of time to patch.
However, the description of the method that was used to bypass ASLR and otherwise enable reliable code execution can be found here.

References


Internet Explorer Option Element Remote Code Execution

Overview

There is a vulnerability in Internet Explorer which enables execution of arbitrary code if the user visits a web page controlled by the attacker. The vulnerability is caused by an use-after-free bug triggered by accessing a previously deleted Option element. This vulnerability has been observed in Internet Explorer versions 6, 7 and 8. The vulnerability has been patched by Microsoft on October 11, 2011.

The bug

In Internet Explorer, the implementation of Select HTML element contains an array of pointers to the Option elements the Select element contains. This array is called the Option cache. Normally, whenever an Option element inside a Select element is accessed via JavaScript, Option cache is rebuilt, thus ensuring its consistency. However, there are some JavaScript methods that can be used to delete and modify the Option elements contained inside the Select element without rebuilding the Option cache. In combination, these methods enable modifying a previously deleted Option element.

Impact

The vulnerability can be used to execute arbitrary code in the context of the currently logged in user if the user visits a specially crafted web page. JavaScript needs to be enabled in order for the attacker to be able to exploit the vulnerability (it's enabled by default in all versions of Internet Explorer).

PoC

An PoC exploit that demonstrates code execution has been developed. However, due to the severity of the vulnerability, release of the exploit code is not planned at this time.

References