Vulnerabilities > CVE-2008-4844 - Resource Management Errors vulnerability in Microsoft Internet Explorer 5.01/6/7

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
CWE-399
nessus
exploit available
metasploit

Summary

Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.

Vulnerable Configurations

Part Description Count
Application
Microsoft
4

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionMS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day. CVE-2008-4844. Remote exploit for windows platform
    fileexploits/windows/remote/7410.html
    idEDB-ID:7410
    last seen2016-02-01
    modified2008-12-10
    platformwindows
    port
    published2008-12-10
    reportermuts
    sourcehttps://www.exploit-db.com/download/7410/
    titleMicrosoft Internet Explorer - XML Parsing Buffer Overflow Exploit Vista 0day
    typeremote
  • descriptionInternet Explorer Data Binding Memory Corruption. CVE-2008-4844. Remote exploit for windows platform
    idEDB-ID:16583
    last seen2016-02-02
    modified2010-09-20
    published2010-09-20
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16583/
    titleMicrosoft Internet Explorer - Data Binding Memory Corruption
  • descriptionMS Internet Explorer XML Parsing Remote Buffer Overflow Exploit 0day. CVE-2008-4844. Remote exploit for windows platform
    fileexploits/windows/remote/7403.txt
    idEDB-ID:7403
    last seen2016-02-01
    modified2008-12-10
    platformwindows
    port
    published2008-12-10
    reporterGuido Landi
    sourcehttps://www.exploit-db.com/download/7403/
    titleMicrosoft Internet Explorer - XML Parsing Remote Buffer Overflow Exploit 0day
    typeremote
  • idEDB-ID:7477
  • idEDB-ID:7583

Metasploit

descriptionThis module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there.
idMSF:EXPLOIT/WINDOWS/BROWSER/MS08_078_XML_CORRUPTION
last seen2020-05-26
modified2019-05-23
published2010-02-10
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms08_078_xml_corruption.rb
titleMS08-078 Microsoft Internet Explorer Data Binding Memory Corruption

Msbulletin

bulletin_idMS08-078
bulletin_url
date2008-12-09T00:00:00
impactRemote Code Execution
knowledgebase_id960714
knowledgebase_url
severityCritical
titleSecurity Update for Internet Explorer

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS08-078.NASL
descriptionThe remote host is missing the IE security update 960714. The remote version of IE is vulnerable to a memory corruption which may allow an attacker to execute arbitrary code on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id35221
published2008-12-17
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/35221
titleMS08-078: Microsoft Internet Explorer Security Update (960714)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(35221);
 script_version("1.31");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2008-4844");
 script_bugtraq_id(32721);
 script_xref(name:"CERT", value:"493881");
 script_xref(name:"MSFT", value:"MS08-078");
 script_xref(name:"MSKB", value:"960714");

 script_name(english:"MS08-078: Microsoft Internet Explorer Security Update (960714)");
 script_summary(english:"Determines the presence of update 960714");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the web
client.");
 script_set_attribute(attribute:"description", value:
"The remote host is missing the IE security update 960714.

The remote version of IE is vulnerable to a memory corruption which may
allow an attacker to execute arbitrary code on the remote host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-078");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP, 2003,
Vista and 2008.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(399);

 script_set_attribute(attribute:"vuln_publication_date", value:"2008/12/09");
 script_set_attribute(attribute:"patch_publication_date", value:"2008/12/17");
 script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/17");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS08-078';
kb = '960714';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'1,2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"6.0", file:"Mshtml.dll", version:"8.0.6001.22342", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", file:"Mshtml.dll", version:"8.0.6001.18247", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"Mshtml.dll", version:"7.0.6001.22328", min_version:"7.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"Mshtml.dll", version:"7.0.6001.18183", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mshtml.dll", version:"7.0.6000.20973", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mshtml.dll", version:"7.0.6000.16788", dir:"\system32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.2", sp:1, file:"Mshtml.dll", version:"6.0.3790.3261", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.4426", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"8.0.6001.22342", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"8.0.6001.18247", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"7.0.6000.20973", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"7.0.6000.16788", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.1", file:"Mshtml.dll", version:"8.0.6001.22342", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", file:"Mshtml.dll", version:"8.0.6001.18247", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", file:"Mshtml.dll", version:"7.0.6000.20973", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", file:"Mshtml.dll", version:"7.0.6000.16788", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.5726", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mshtml.dll", version:"6.0.2900.3492", dir:"\system32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"6.0.2800.1619", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"5.0.3872.1000", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2014-08-18T04:06:06.621-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • namePooja Shetty
    organizationSecPod Technologies
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows 2000 is installed
    ovaloval:org.mitre.oval:def:85
  • commentMicrosoft Internet Explorer 6 is installed
    ovaloval:org.mitre.oval:def:563
  • commentMicrosoft Windows 2000 is installed
    ovaloval:org.mitre.oval:def:85
  • commentMicrosoft Internet Explorer 5.01 SP4 is installed
    ovaloval:org.mitre.oval:def:325
  • commentMicrosoft Windows XP is installed
    ovaloval:org.mitre.oval:def:105
  • commentMicrosoft Internet Explorer 6 is installed
    ovaloval:org.mitre.oval:def:563
  • commentMicrosoft Windows XP (32-bit) is installed
    ovaloval:org.mitre.oval:def:1353
  • commentMicrosoft Internet Explorer 6 is installed
    ovaloval:org.mitre.oval:def:563
  • commentMicrosoft Internet Explorer 6 is installed
    ovaloval:org.mitre.oval:def:563
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft Internet Explorer 6 is installed
    ovaloval:org.mitre.oval:def:563
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft Internet Explorer 7 is installed
    ovaloval:org.mitre.oval:def:627
  • commentMicrosoft Windows XP is installed
    ovaloval:org.mitre.oval:def:105
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
    ovaloval:org.mitre.oval:def:396
  • commentMicrosoft Windows Vista is installed
    ovaloval:org.mitre.oval:def:228
  • commentMicrosoft Windows XP x64 is installed
    ovaloval:org.mitre.oval:def:15247
  • commentMicrosoft Windows Server 2008 is installed
    ovaloval:org.mitre.oval:def:12824
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Internet Explorer 7 is installed
    ovaloval:org.mitre.oval:def:627
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Internet Explorer 7 is installed
    ovaloval:org.mitre.oval:def:627
descriptionUse-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.
familywindows
idoval:org.mitre.oval:def:6007
statusaccepted
submitted2009-02-10T16:00:00
titlePointer Reference Memory Corruption Vulnerability
version75

Packetstorm

Saint

bid32721
descriptionInternet Explorer XML data binding memory corruption
idwin_patch_ie_v5,win_patch_ie_v6,win_patch_ie_v7,win_patch_ie_v8
osvdb50622
titleie_xml_span
typeclient

References