Vulnerabilities > CVE-2008-4844 - Resource Management Errors vulnerability in Microsoft Internet Explorer 5.01/6/7
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Common Weakness Enumeration (CWE)
Exploit-Db
description MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day. CVE-2008-4844. Remote exploit for windows platform file exploits/windows/remote/7410.html id EDB-ID:7410 last seen 2016-02-01 modified 2008-12-10 platform windows port published 2008-12-10 reporter muts source https://www.exploit-db.com/download/7410/ title Microsoft Internet Explorer - XML Parsing Buffer Overflow Exploit Vista 0day type remote description Internet Explorer Data Binding Memory Corruption. CVE-2008-4844. Remote exploit for windows platform id EDB-ID:16583 last seen 2016-02-02 modified 2010-09-20 published 2010-09-20 reporter metasploit source https://www.exploit-db.com/download/16583/ title Microsoft Internet Explorer - Data Binding Memory Corruption description MS Internet Explorer XML Parsing Remote Buffer Overflow Exploit 0day. CVE-2008-4844. Remote exploit for windows platform file exploits/windows/remote/7403.txt id EDB-ID:7403 last seen 2016-02-01 modified 2008-12-10 platform windows port published 2008-12-10 reporter Guido Landi source https://www.exploit-db.com/download/7403/ title Microsoft Internet Explorer - XML Parsing Remote Buffer Overflow Exploit 0day type remote id EDB-ID:7477 id EDB-ID:7583
Metasploit
description | This module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there. |
id | MSF:EXPLOIT/WINDOWS/BROWSER/MS08_078_XML_CORRUPTION |
last seen | 2020-05-26 |
modified | 2019-05-23 |
published | 2010-02-10 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms08_078_xml_corruption.rb |
title | MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption |
Msbulletin
bulletin_id | MS08-078 |
bulletin_url | |
date | 2008-12-09T00:00:00 |
impact | Remote Code Execution |
knowledgebase_id | 960714 |
knowledgebase_url | |
severity | Critical |
title | Security Update for Internet Explorer |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS08-078.NASL |
description | The remote host is missing the IE security update 960714. The remote version of IE is vulnerable to a memory corruption which may allow an attacker to execute arbitrary code on the remote host. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 35221 |
published | 2008-12-17 |
reporter | This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/35221 |
title | MS08-078: Microsoft Internet Explorer Security Update (960714) |
code |
|
Oval
accepted | 2014-08-18T04:06:06.621-04:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
description | Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
id | oval:org.mitre.oval:def:6007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
submitted | 2009-02-10T16:00:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
title | Pointer Reference Memory Corruption Vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
version | 75 |
Packetstorm
data source https://packetstormsecurity.com/files/download/86162/ms08_078_xml_corruption.rb.txt id PACKETSTORM:86162 last seen 2016-12-05 published 2010-02-12 reporter H D Moore source https://packetstormsecurity.com/files/86162/Microsoft-Internet-Explorer-Data-Binding-Memory-Corruption.html title Microsoft Internet Explorer Data Binding Memory Corruption data source https://packetstormsecurity.com/files/download/82971/ie_xml_corruption.rb.txt id PACKETSTORM:82971 last seen 2016-12-05 published 2009-11-26 reporter H D Moore source https://packetstormsecurity.com/files/82971/Microsoft-Internet-Explorer-Data-Binding-Memory-Corruption.html title Microsoft Internet Explorer Data Binding Memory Corruption
Saint
bid | 32721 |
description | Internet Explorer XML data binding memory corruption |
id | win_patch_ie_v5,win_patch_ie_v6,win_patch_ie_v7,win_patch_ie_v8 |
osvdb | 50622 |
title | ie_xml_span |
type | client |
References
- http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspx
- http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspx
- http://code.google.com/p/inception-h2hc/
- http://code.google.com/p/inception-h2hc/
- http://isc.sans.org/diary.html?storyid=5458
- http://isc.sans.org/diary.html?storyid=5458
- http://marc.info/?l=bugtraq&m=123015308222620&w=2
- http://marc.info/?l=bugtraq&m=123015308222620&w=2
- http://marc.info/?l=bugtraq&m=123015308222620&w=2
- http://marc.info/?l=bugtraq&m=123015308222620&w=2
- http://secunia.com/advisories/33089
- http://secunia.com/advisories/33089
- http://www.avertlabs.com/research/blog/index.php/2008/12/09/yet-another-unpatched-drive-by-exploit-found-on-the-web/
- http://www.avertlabs.com/research/blog/index.php/2008/12/09/yet-another-unpatched-drive-by-exploit-found-on-the-web/
- http://www.breakingpointsystems.com/community/blog/patch-tuesdays-and-drive-by-sundays
- http://www.breakingpointsystems.com/community/blog/patch-tuesdays-and-drive-by-sundays
- http://www.kb.cert.org/vuls/id/493881
- http://www.kb.cert.org/vuls/id/493881
- http://www.microsoft.com/technet/security/advisory/961051.mspx
- http://www.microsoft.com/technet/security/advisory/961051.mspx
- http://www.scanw.com/blog/archives/303
- http://www.scanw.com/blog/archives/303
- http://www.securityfocus.com/bid/32721
- http://www.securityfocus.com/bid/32721
- http://www.securitytracker.com/id?1021381
- http://www.securitytracker.com/id?1021381
- http://www.us-cert.gov/cas/techalerts/TA08-344A.html
- http://www.us-cert.gov/cas/techalerts/TA08-344A.html
- http://www.us-cert.gov/cas/techalerts/TA08-352A.html
- http://www.us-cert.gov/cas/techalerts/TA08-352A.html
- http://www.vupen.com/english/advisories/2008/3391
- http://www.vupen.com/english/advisories/2008/3391
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-078
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-078
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6007
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6007
- https://www.exploit-db.com/exploits/7403
- https://www.exploit-db.com/exploits/7403
- https://www.exploit-db.com/exploits/7410
- https://www.exploit-db.com/exploits/7410
- https://www.exploit-db.com/exploits/7477
- https://www.exploit-db.com/exploits/7477
- https://www.exploit-db.com/exploits/7583
- https://www.exploit-db.com/exploits/7583