Vulnerabilities > CVE-2012-4792 - Use After Free vulnerability in Microsoft Internet Explorer 6/7/8
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 | |
| OS | 16 |
Common Weakness Enumeration (CWE)
Exploit-Db
description Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability. CVE-2012-4792. Remote exploit for windows platform id EDB-ID:23754 last seen 2016-02-02 modified 2012-12-31 published 2012-12-31 reporter metasploit source https://www.exploit-db.com/download/23754/ title Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability description Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability. CVE-2012-4792. Remote exploit for windows platform id EDB-ID:23785 last seen 2016-02-02 modified 2013-01-02 published 2013-01-02 reporter metasploit source https://www.exploit-db.com/download/23785/ title Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability
Metasploit
Msbulletin
| bulletin_id | MS13-008 |
| bulletin_url | |
| date | 2013-01-14T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2799329 |
| knowledgebase_url | |
| severity | Critical |
| title | Security Update for Internet Explorer |
Nessus
NASL family Windows NASL id SMB_KB2794220.NASL description The remote host is missing the workaround referenced in KB 2794220 (Microsoft last seen 2020-06-01 modified 2020-06-02 plugin id 63372 published 2013-01-02 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63372 title MS KB2794220: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated) code #@DEPRECATED # # Disabled on 2013/01/14. Deprecated by smb_nt_ms13-008.nasl # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(63372); script_version("1.18"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2012-4792"); script_bugtraq_id(57070); script_xref(name:"CERT", value:"154201"); script_xref(name:"EDB-ID", value:"23754"); script_xref(name:"MSKB", value:"2794220"); script_name(english:"MS KB2794220: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)"); script_summary(english:"Checks if 'Fix it' 50971 is in use."); script_set_attribute( attribute:"synopsis", value: "The remote host has a web browser installed that is affected by a remote code execution vulnerability." ); script_set_attribute( attribute:"description", value: "The remote host is missing the workaround referenced in KB 2794220 (Microsoft 'Fix it' 50971). This workaround mitigates a use-after-free vulnerability in Internet Explorer. Without this workaround enabled, an attacker could exploit this vulnerability by tricking a user into viewing a maliciously crafted web page, resulting in arbitrary code execution. This vulnerability is being actively exploited in the wild. Note that the Microsoft 'Fix it' solution is effective only if the latest available version of 'mshtml.dll' is installed. This plugin has been deprecated due to the publication of MS13-008. Microsoft has released updates that make the workarounds unnecessary. To check for those, use Nessus plugin ID 63522."); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/2794220"); script_set_attribute(attribute:"solution", value:"Apply Microsoft 'Fix it' 50971."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/28"); script_set_attribute(attribute:"patch_publication_date", value:"2012/12/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion", "SMB/ProductName"); script_require_ports(139, 445); exit(0); } exit(0, "This plugin has been deprecated. Use smb_nt_ms13-008.nasl (plugin ID 63522) instead."); include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); include("misc_func.inc"); get_kb_item_or_exit('SMB/WindowsVersion'); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); ie_ver = hotfix_check_ie_version(); if (ie_ver !~ "^[678]\.") audit(AUDIT_INST_VER_NOT_VULN, 'IE', ie_ver); port = kb_smb_transport(); vuln = 0; registry_init(); handle = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); systemroot = hotfix_get_systemroot(); if(!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot'); guid = '{a1447a51-d8b1-4e93-bb19-82bd20da6fd2}'; path = get_registry_value(handle:handle, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\" + guid); if (isnull(path)) path = systemroot + "\AppPatch\Custom\" + guid + '.sdb'; RegCloseKey(handle:handle); close_registry(close:FALSE); # Now make sure the file is in place if (hotfix_file_exists(path:path)) vuln = FALSE; else vuln = TRUE; hotfix_check_fversion_end(); if (!vuln) audit(AUDIT_HOST_NOT, 'affected'); if (report_verbosity > 0) { report = '\nNessus determined the Microsoft \'Fix it\' solution is not in use because' + '\nthe following file was not found :\n\n' + path + '\n'; security_hole(port:port, extra:report); } else security_hole(port);NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS13-008.NASL description The remote host is missing Internet Explorer (IE) Security Update 2799329. The installed version of IE is affected by a vulnerability that could allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 63522 published 2013-01-14 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63522 title MS13-008: Security Update for Internet Explorer (2799329) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(63522); script_version("1.16"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2012-4792"); script_bugtraq_id(57070); script_xref(name:"CERT", value:"154201"); script_xref(name:"EDB-ID", value:"23754"); script_xref(name:"MSFT", value:"MS13-008"); script_xref(name:"MSKB", value:"2799329"); script_name(english:"MS13-008: Security Update for Internet Explorer (2799329)"); script_summary(english:"Checks version of Mshtml.dll"); script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a code execution vulnerability."); script_set_attribute( attribute:"description", value: "The remote host is missing Internet Explorer (IE) Security Update 2799329. The installed version of IE is affected by a vulnerability that could allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-008"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7, 2008 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/28"); script_set_attribute(attribute:"patch_publication_date", value:"2013/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS13-008'; kb = '2799329'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 7 / 2008 R2 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.22185", min_version:"8.0.7601.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.18021", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, file:"Mshtml.dll", version:"8.0.7600.21393", min_version:"8.0.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:0, file:"Mshtml.dll", version:"8.0.7600.17185", min_version:"8.0.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # Vista / 2008 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.23462", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.19394", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.22995", min_version:"7.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.18747", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 2003 / XP 64-bit # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.23462", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.19394", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21319", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.17117", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.5098", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows XP x86 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.23462", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.19394", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.21319", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.17117", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) || # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.6325", min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
| accepted | 2014-08-18T04:01:35.494-04:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| description | Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:16361 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| submitted | 2013-01-17T11:16:34 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| title | Internet Explorer Use After Free Vulnerability - MS13-008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| version | 74 |
Packetstorm
data source https://packetstormsecurity.com/files/download/119186/ie_cbutton_uaf.rb.txt id PACKETSTORM:119186 last seen 2016-12-05 published 2013-01-02 reporter Eric Romang source https://packetstormsecurity.com/files/119186/Microsoft-Internet-Explorer-CButton-Object-Use-After-Free.html title Microsoft Internet Explorer CButton Object Use-After-Free data source https://packetstormsecurity.com/files/download/119168/ie_cdwnbindinfo_uaf.rb.txt id PACKETSTORM:119168 last seen 2016-12-05 published 2012-12-31 reporter Eric Romang source https://packetstormsecurity.com/files/119168/Microsoft-Internet-Explorer-CDwnBindInfo-Object-Use-After-Free.html title Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free
Saint
| bid | 57070 |
| description | Internet Explorer CButton Use After Free Vulnerability |
| id | win_patch_ie_v8 |
| osvdb | 88774 |
| title | ie_cbutton_uaf |
| type | client |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 57070 CVE(CAN) ID: CVE-2012-4792 Microsoft Internet Explorer是微软公司推出的一款网页浏览器。 Internet Explorer在mshtml!CDwnBindInfo对象的处理上存在释放后重用漏洞,远程攻击者可能利用此漏洞通过诱使用户访问恶意网页内容导致执行任意代码控制用户系统。 此漏洞是0day漏洞,目前已被发现用于执行针对性的攻击。 不受影响系统: Microsoft Internet Explorer 9.x Microsoft Internet Explorer 10.x 0 Microsoft Internet Explorer 8.x Microsoft Internet Explorer 7.x Microsoft Internet Explorer 6.x 临时解决方法: 如果您不能立刻安装补丁或者升级,建议您采取以下措施以降低威胁: * 在厂商补丁发布之前,我们建议用户暂时改用非IE内核浏览器,如Firefox、Chrome。 * 升级IE到版本9或10,因为这两个版本的IE不受此漏洞的影响。 * 对于IE 6、7、8版本浏览器可以采用如下防护措施: 采用厂商提供的Enhanced Mitigation Experience Toolkit (EMET)工具。此方法能有效防范,且不影响正常网站的访问。 增强缓解体验工具包(EMET)是一个实用工具,用于防止软件中的漏洞被成功利用。 从如下网址下载增强缓解体验工具包: http://go.microsoft.com/fwlink/?LinkID=200220&clcid=0x409 安装以后运行,在界面中点击“Configure Apps”,在对话框中点击“Add”,浏览到IE所在的安装目录(通常是c:\program files\Internet Explorer\)选择 iexplore.exe,点击“打开”, IE就被加入到受保护项目列表中,点击“OK”,如果有IE正在运行的话需要重启一下应用。 也可采用类似的操作把其他的应用程序加入保护。 厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,但已经发布了针对此漏洞的公告,建议用户采用厂商推荐的临时解决方案处理: http://technet.microsoft.com/en-us/security/advisory/2794220 |
| id | SSV:60551 |
| last seen | 2017-11-19 |
| modified | 2012-12-31 |
| published | 2012-12-31 |
| reporter | Root |
| title | Microsoft Internet Explorer 6/7/8 mshtml!CDwnBindInfo对象释放后重用代码执行漏洞 |
The Hacker News
id THN:5ACF233F4E37E6A4975B246F2082107C last seen 2017-01-08 modified 2013-01-11 published 2013-01-02 reporter Mohit Kumar source http://thehackernews.com/2013/01/cfr-watering-hole-attack-also-target.html title CFR watering hole attack also target Capstone Turbine Corporation id THN:7ACF921BA3C582C8760C348FD2475BC2 last seen 2017-01-08 modified 2013-10-16 published 2013-10-16 reporter Mohit Kumar source http://thehackernews.com/2013/10/aslr-bypass-techniques-are-popular-with.html title ASLR bypass techniques are popular with APT attacks
References
- http://technet.microsoft.com/security/advisory/2794220
- http://labs.alienvault.com/labs/index.php/2012/just-another-water-hole-campaign-using-an-internet-explorer-0day/
- http://www.kb.cert.org/vuls/id/154201
- http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html
- http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/
- http://packetstormsecurity.com/files/119168/Microsoft-Internet-Explorer-CDwnBindInfo-Object-Use-After-Free.html
- http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx
- http://blogs.technet.com/b/srd/archive/2012/12/31/microsoft-quot-fix-it-quot-available-for-internet-explorer-6-7-and-8.aspx
- http://www.us-cert.gov/cas/techalerts/TA13-015A.html
- http://www.us-cert.gov/cas/techalerts/TA13-008A.html
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cbutton_uaf.rb
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16361
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-008