Vulnerabilities > CVE-2008-4844 - Resource Management Errors vulnerability in Microsoft Internet Explorer 5.01/6/7

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-399

critical

nessus

exploit available

metasploit

NVD

Published: 2008-12-11

Updated: 2018-10-12

Summary

Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 6 Microsoft Internet Explorer 7	4

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Exploit-Db

description	MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day. CVE-2008-4844. Remote exploit for windows platform
file	exploits/windows/remote/7410.html
id	EDB-ID:7410
last seen	2016-02-01
modified	2008-12-10
platform	windows
port
published	2008-12-10
reporter	muts
source	https://www.exploit-db.com/download/7410/
title	Microsoft Internet Explorer - XML Parsing Buffer Overflow Exploit Vista 0day
type	remote

description	Internet Explorer Data Binding Memory Corruption. CVE-2008-4844. Remote exploit for windows platform
id	EDB-ID:16583
last seen	2016-02-02
modified	2010-09-20
published	2010-09-20
reporter	metasploit
source	https://www.exploit-db.com/download/16583/
title	Microsoft Internet Explorer - Data Binding Memory Corruption

description	MS Internet Explorer XML Parsing Remote Buffer Overflow Exploit 0day. CVE-2008-4844. Remote exploit for windows platform
file	exploits/windows/remote/7403.txt
id	EDB-ID:7403
last seen	2016-02-01
modified	2008-12-10
platform	windows
port
published	2008-12-10
reporter	Guido Landi
source	https://www.exploit-db.com/download/7403/
title	Microsoft Internet Explorer - XML Parsing Remote Buffer Overflow Exploit 0day
type	remote

id EDB-ID:7477
id EDB-ID:7583

Metasploit

description	This module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there.
id	MSF:EXPLOIT/WINDOWS/BROWSER/MS08_078_XML_CORRUPTION
last seen	2020-05-26
modified	2019-05-23
published	2010-02-10
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4844 https://web.archive.org/web/20080913064223/http://taossa.com/archive/bh08sotirovdowd.pdf
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms08_078_xml_corruption.rb
title	MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption

Msbulletin

bulletin_id	MS08-078
bulletin_url
date	2008-12-09T00:00:00
impact	Remote Code Execution
knowledgebase_id	960714
knowledgebase_url
severity	Critical
title	Security Update for Internet Explorer

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS08-078.NASL
description	The remote host is missing the IE security update 960714. The remote version of IE is vulnerable to a memory corruption which may allow an attacker to execute arbitrary code on the remote host.
last seen	2020-06-01
modified	2020-06-02
plugin id	35221
published	2008-12-17
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/35221
title	MS08-078: Microsoft Internet Explorer Security Update (960714)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(35221); script_version("1.31"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2008-4844"); script_bugtraq_id(32721); script_xref(name:"CERT", value:"493881"); script_xref(name:"MSFT", value:"MS08-078"); script_xref(name:"MSKB", value:"960714"); script_name(english:"MS08-078: Microsoft Internet Explorer Security Update (960714)"); script_summary(english:"Determines the presence of update 960714"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the web client."); script_set_attribute(attribute:"description", value: "The remote host is missing the IE security update 960714. The remote version of IE is vulnerable to a memory corruption which may allow an attacker to execute arbitrary code on the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-078"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(399); script_set_attribute(attribute:"vuln_publication_date", value:"2008/12/09"); script_set_attribute(attribute:"patch_publication_date", value:"2008/12/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS08-078'; kb = '960714'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'1,2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"6.0", file:"Mshtml.dll", version:"8.0.6001.22342", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", file:"Mshtml.dll", version:"8.0.6001.18247", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:1, file:"Mshtml.dll", version:"7.0.6001.22328", min_version:"7.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:1, file:"Mshtml.dll", version:"7.0.6001.18183", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mshtml.dll", version:"7.0.6000.20973", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mshtml.dll", version:"7.0.6000.16788", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:1, file:"Mshtml.dll", version:"6.0.3790.3261", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.4426", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"8.0.6001.22342", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"8.0.6001.18247", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"7.0.6000.20973", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"7.0.6000.16788", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", file:"Mshtml.dll", version:"8.0.6001.22342", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", file:"Mshtml.dll", version:"8.0.6001.18247", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", file:"Mshtml.dll", version:"7.0.6000.20973", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", file:"Mshtml.dll", version:"7.0.6000.16788", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.5726", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mshtml.dll", version:"6.0.2900.3492", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"6.0.2800.1619", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"5.0.3872.1000", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2014-08-18T04:06:06.621-04:00

class

vulnerability

contributors

name Dragos Prisaca
organization Gideon Technologies, Inc.
name Pooja Shetty
organization SecPod Technologies
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Windows 2000 is installed
oval oval:org.mitre.oval:def:85
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows 2000 is installed
oval oval:org.mitre.oval:def:85
comment Microsoft Internet Explorer 5.01 SP4 is installed
oval oval:org.mitre.oval:def:325
comment Microsoft Windows XP is installed
oval oval:org.mitre.oval:def:105
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows XP (32-bit) is installed
oval oval:org.mitre.oval:def:1353
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows XP x64 is installed
oval oval:org.mitre.oval:def:15247
comment Microsoft Windows Server 2003 (32-bit) is installed
oval oval:org.mitre.oval:def:1870
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows Server 2003 (ia64) Gold is installed
oval oval:org.mitre.oval:def:396
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows Server 2003 (32-bit) is installed
oval oval:org.mitre.oval:def:1870
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows XP x64 is installed
oval oval:org.mitre.oval:def:15247
comment Microsoft Windows Server 2003 (ia64) Gold is installed
oval oval:org.mitre.oval:def:396
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627
comment Microsoft Windows XP is installed
oval oval:org.mitre.oval:def:105
comment Microsoft Windows Server 2003 (32-bit) is installed
oval oval:org.mitre.oval:def:1870
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows Server 2003 (ia64) Gold is installed
oval oval:org.mitre.oval:def:396
comment Microsoft Windows Vista is installed
oval oval:org.mitre.oval:def:228
comment Microsoft Windows XP x64 is installed
oval oval:org.mitre.oval:def:15247
comment Microsoft Windows Server 2008 is installed
oval oval:org.mitre.oval:def:12824
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627
comment Microsoft Windows Server 2008 (32-bit) is installed
oval oval:org.mitre.oval:def:4870
comment Microsoft Windows Server 2008 (ia-64) is installed
oval oval:org.mitre.oval:def:5667
comment Microsoft Windows Server 2008 (64-bit) is installed
oval oval:org.mitre.oval:def:5356
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627

description

family

windows

oval:org.mitre.oval:def:6007

status

accepted

submitted

2009-02-10T16:00:00

title

Pointer Reference Memory Corruption Vulnerability

version

Packetstorm

data source	https://packetstormsecurity.com/files/download/86162/ms08_078_xml_corruption.rb.txt
id	PACKETSTORM:86162
last seen	2016-12-05
published	2010-02-12
reporter	H D Moore
source	https://packetstormsecurity.com/files/86162/Microsoft-Internet-Explorer-Data-Binding-Memory-Corruption.html
title	Microsoft Internet Explorer Data Binding Memory Corruption

data source	https://packetstormsecurity.com/files/download/82971/ie_xml_corruption.rb.txt
id	PACKETSTORM:82971
last seen	2016-12-05
published	2009-11-26
reporter	H D Moore
source	https://packetstormsecurity.com/files/82971/Microsoft-Internet-Explorer-Data-Binding-Memory-Corruption.html
title	Microsoft Internet Explorer Data Binding Memory Corruption

Saint

bid	32721
description	Internet Explorer XML data binding memory corruption
id	win_patch_ie_v5,win_patch_ie_v6,win_patch_ie_v7,win_patch_ie_v8
osvdb	50622
title	ie_xml_span
type	client

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Metasploit

Msbulletin

Nessus

Oval

Packetstorm

Saint

References