Vulnerabilities > CVE-2013-3893 - Resource Management Errors vulnerability in Microsoft Internet Explorer

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-399

critical

nessus

exploit available

metasploit

NVD

Published: 2013-09-18

Updated: 2021-05-17

Summary

Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Explorer 11 Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 8 Microsoft Internet Explorer 9 Microsoft Internet Explorer 10	7

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Exploit-Db

description	Micorosft Internet Explorer SetMouseCapture Use-After-Free. CVE-2013-3893. Remote exploit for windows platform
id	EDB-ID:28682
last seen	2016-02-03
modified	2013-10-02
published	2013-10-02
reporter	metasploit
source	https://www.exploit-db.com/download/28682/
title	Micorosft Internet Explorer SetMouseCapture Use-After-Free

Metasploit

description	This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called "onselect". The "onselect" event will allow us to set up for the actual event handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer object can be forced by using an "Unselect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.
id	MSF:EXPLOIT/WINDOWS/BROWSER/MS13_080_CDISPLAYPOINTER
last seen	2020-06-02
modified	2017-09-09
published	2013-10-12
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3897 http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
title	MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free

description	This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventuall this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
id	MSF:EXPLOIT/WINDOWS/BROWSER/IE_SETMOUSECAPTURE_UAF
last seen	2020-06-07
modified	2020-02-18
published	2013-09-29
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3893 http://technet.microsoft.com/en-us/security/advisory/2887505 http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx https://blog.rapid7.com/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
title	MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free

Msbulletin

bulletin_id	MS13-080
bulletin_url
date	2013-10-08T00:00:00
impact	Remote Code Execution
knowledgebase_id	2879017
knowledgebase_url
severity	Critical
title	Cumulative Security Update for Internet Explorer

Nessus

NASL family	Windows
NASL id	SMB_KB2887505.NASL
description	The remote host is missing one of the workarounds referenced in KB 2887505. The remote version of Internet Explorer (IE) reportedly has a memory corruption vulnerability related to how IE accesses an object in memory that has been deleted or has not been properly allocated. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application.
last seen	2017-10-29
modified	2017-08-30
plugin id	69931
published	2013-09-17
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=69931
title	MS KB2887505: Vulnerability in Internet Explorer Could Allow Remote Code Execution
code	#%NASL_MIN_LEVEL 999999 #@DEPRECATED@ # # Disabled on 2013/10/08. Deprecated by smb_nt_ms13-080.nasl # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69931); script_version("1.9"); script_cvs_date("Date: 2018/07/27 18:38:15"); script_cve_id("CVE-2013-3893"); script_bugtraq_id(62453); script_xref(name:"MSKB", value:"2887505"); script_name(english:"MS KB2887505: Vulnerability in Internet Explorer Could Allow Remote Code Execution"); script_summary(english:"Checks if workarounds referenced in KB article have been applied."); script_set_attribute( attribute:"synopsis", value:"The remote host is affected by a remote code execution vulnerability." ); script_set_attribute( attribute:"description", value: "The remote host is missing one of the workarounds referenced in KB 2887505. The remote version of Internet Explorer (IE) reportedly has a memory corruption vulnerability related to how IE accesses an object in memory that has been deleted or has not been properly allocated. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application."); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/advisory/2887505"); script_set_attribute( attribute:"solution", value: "Apply the IE settings workarounds suggested by Microsoft in the advisory, or apply the MSHTML Shim workaround in the Microsoft 'Fix it' solution." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Microsoft Internet Explorer SetMouseCapture Use-After-Free'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/09/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("microsoft_emet_installed.nasl", "smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion"); script_require_ports(139, 445); exit(0); } exit(0, 'This plugin has been deprecated. Use plugin #70332 (smb_nt_ms13-080.nasl) instead.'); include('audit.inc'); include('global_settings.inc'); include("smb_hotfixes.inc"); include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); systemroot = hotfix_get_systemroot(); if(!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot'); guid = '{55aab41f-5d5c-abdf-4568-baef76587bd7}'; path = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\" + guid); RegCloseKey(handle:hklm); if (isnull(path)) path = systemroot + "\AppPatch\Custom\" + guid + '.sdb'; # Now make sure the file is in place if (hotfix_file_exists(path:path)) { hotfix_check_fversion_end(); exit(0, "The host is not affected since the Microsoft 'Fix it' has been applied."); } # hotfix_file_exists calls NetUseDel(close:FALSE), so we must reconnect registry_init(); emet_info = ''; emet_installed = FALSE; emet_with_ie = FALSE; if (!isnull(get_kb_item("SMB/Microsoft/EMET/Installed"))) emet_installed = TRUE; # Check if EMET is configured with IE. # The workaround does not specifically ask to enable DEP # but if IE is configured with EMET, dep is enabled by default. emet_list = get_kb_list("SMB/Microsoft/EMET/*"); if (!isnull(emet_list)) { foreach entry (keys(emet_list)) { if ("iexplore.exe" >< entry && "/dep" >< entry) { dep = get_kb_item(entry); if (!isnull(dep) && dep == 1) emet_with_ie = TRUE; } } } if (!emet_installed) { emet_info = '\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' + '\n installed.'; } else if (emet_installed) { if (!emet_with_ie) { emet_info = '\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' + '\n installed, however Internet Explorer is not configured with EMET.'; } } info_user_settings = ''; # check mitigation per user hku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE); subkeys = get_registry_subkeys(handle:hku, key:''); foreach key (subkeys) { if ('.DEFAULT' >< key \|\| 'Classes' >< key \|\| key =~ "^S-1-5-\d{2}$") # skip built-in accounts continue; mitigation = FALSE; # "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones" key_part_intranet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\CurrentLevel'; key_part_internet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\CurrentLevel'; value = get_registry_value(handle:hku, item:key + key_part_intranet); value1 = get_registry_value(handle:hku, item:key + key_part_internet); if (isnull(value) && isnull(value1)) continue; # 0x00012000 = 73728 = High Security if (!isnull(value) && !isnull(value1) && value == 73728 && value1 == 73728) mitigation = TRUE; # "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone" key_part_intranet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1400'; key_part_internet = '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400'; value = get_registry_value(handle:hku, item:key + key_part_intranet); value1 = get_registry_value(handle:hku, item:key + key_part_internet); # 1 = prompt, 3 = disable if (!isnull(value) && !isnull(value1) && (value == 1 \|\| value == 3) && (value1 == 1 \|\| value1 == 3)) mitigation = TRUE; if (!mitigation) info_user_settings += '\n ' + key + ' (Active Scripting Enabled)'; } RegCloseKey(handle:hku); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); # check if user settings have been overriden by what is in HKLM # note: Security_HKLM_only can be set by group policy value = get_registry_value(handle:hklm, item:'SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only'); if (info_user_settings != '' && !isnull(value) && value == 1) { mitigation = FALSE; # "Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones" key_part_intranet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\CurrentLevel'; key_part_internet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\CurrentLevel'; value = get_registry_value(handle:hklm, item:key_part_intranet); value1 = get_registry_value(handle:hklm, item:key_part_internet); # 0x00012000 = 73728 = High Security if (!isnull(value) && !isnull(value1) && value == 73728 && value1 == 73728) mitigation = TRUE; # "Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone" key_part_intranet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1400'; key_part_internet = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1400'; value = get_registry_value(handle:hklm, item:key_part_intranet); value1 = get_registry_value(handle:hklm, item:key_part_internet); # 1 = prompt, 3 = disable if (!isnull(value) && !isnull(value1) && (value == 1 \|\| value == 3) && (value1 == 1 \|\| value1 == 3)) mitigation = TRUE; if (mitigation) info_user_settings = ''; } RegCloseKey(handle:hklm); close_registry(); if (info_user_settings != '') { port = get_kb_item('SMB/transport'); if (!port) port = 445; if (report_verbosity > 0) { if (emet_info != '') report = '\n The remote host is missing the MSHTML Shim workaround and the' + '\n following users have vulnerable IE settings :' + info_user_settings + '\n' + emet_info + '\n'; else report = '\n The remote host is missing the MSHTML Shim workaround and the' + '\n following users have vulnerable IE settings :' + info_user_settings + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else exit(0, "The host is not affected since a workaround has been applied.");

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS13-080.NASL
description	The remote host is missing Internet Explorer (IE) Security Update 2879017. The installed version of IE is affected by multiple vulnerabilities that could allow an attacker to execute arbitrary code on the remote host.
last seen	2020-06-01
modified	2020-06-02
plugin id	70332
published	2013-10-09
reporter	This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/70332
title	MS13-080: Cumulative Security Update for Internet Explorer (2879017)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70332); script_version("1.18"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id( "CVE-2013-3872", "CVE-2013-3873", "CVE-2013-3874", "CVE-2013-3875", "CVE-2013-3882", "CVE-2013-3885", "CVE-2013-3886", "CVE-2013-3893", "CVE-2013-3897" ); script_bugtraq_id( 62803, 62804, 62805, 62806, 62808, 62809, 62810, 62811, 62453 ); script_xref(name:"MSFT", value:"MS13-080"); script_xref(name:"MSKB", value:"2879017"); script_name(english:"MS13-080: Cumulative Security Update for Internet Explorer (2879017)"); script_summary(english:"Checks version of Mshtml.dll"); script_set_attribute( attribute:"synopsis", value: "The remote host is affected by multiple code execution vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is missing Internet Explorer (IE) Security Update 2879017. The installed version of IE is affected by multiple vulnerabilities that could allow an attacker to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-232/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-233/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-234/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-236/"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-080"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2013/09/17"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS13-080'; kb = '2879017'; kbs = make_list(kb, '2884101'); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / 2012 R2 # # - Internet Explorer 11 hotfix_is_vulnerable(os:"6.3", file:"Mshtml.dll", version:"11.0.9600.16412", min_version:"11.0.0.0", dir:"\system32", bulletin:bulletin, kb:'2884101') \|\| # Windows 8 / 2012 # # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.20831", min_version:"10.0.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.2", file:"Mshtml.dll", version:"10.0.9200.16721", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 7 / 2008 R2 # - Internet Explorer 11 hotfix_is_vulnerable(os:"6.1", arch:"x86", sp:1, file:"Mshtml.dll", version:"11.0.9600.16411", min_version:"11.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", arch:"x64", sp:1, file:"Mshtml.dll", version:"11.0.9600.16410", min_version:"11.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 10 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.20831", min_version:"10.0.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"10.0.9200.16721", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.20625", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"9.0.8112.16514", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.22464", min_version:"8.0.7601.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Mshtml.dll", version:"8.0.7601.18269", min_version:"8.0.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Vista / 2008 # # - Internet Explorer 9 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.20625", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"9.0.8112.16514", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 8 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.23532", min_version:"8.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"8.0.6001.19475", min_version:"8.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 7 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.23226", min_version:"7.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Mshtml.dll", version:"7.0.6002.18945", min_version:"7.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 2003 / XP 64-bit # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"8.0.6001.23532", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"7.0.6000.21357", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.5226", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows XP x86 # # - Internet Explorer 8 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"8.0.6001.23532", min_version:"8.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 7 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"7.0.6000.21357", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # - Internet Explorer 6 hotfix_is_vulnerable(os:"5.1", sp:3, file:"Mshtml.dll", version:"6.0.2900.6452", min_version:"6.0.2900.0", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2014-08-18T04:02:01.658-04:00

class

vulnerability

contributors

name SecPod Team
organization SecPod Technologies
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows XP (32-bit) is installed
oval oval:org.mitre.oval:def:1353
comment Microsoft Windows XP x64 is installed
oval oval:org.mitre.oval:def:15247
comment Microsoft Windows Server 2003 (32-bit) is installed
oval oval:org.mitre.oval:def:1870
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows Server 2003 (ia64) Gold is installed
oval oval:org.mitre.oval:def:396
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627
comment Microsoft Windows XP (32-bit) is installed
oval oval:org.mitre.oval:def:1353
comment Microsoft Windows XP x64 is installed
oval oval:org.mitre.oval:def:15247
comment Microsoft Windows Server 2003 (32-bit) is installed
oval oval:org.mitre.oval:def:1870
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows Server 2003 (ia64) Gold is installed
oval oval:org.mitre.oval:def:396
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Windows Server 2008 (32-bit) is installed
oval oval:org.mitre.oval:def:4870
comment Microsoft Windows Server 2008 (64-bit) is installed
oval oval:org.mitre.oval:def:5356
comment Microsoft Windows Server 2008 (ia-64) is installed
oval oval:org.mitre.oval:def:5667
comment Microsoft Internet Explorer 8 is installed
oval oval:org.mitre.oval:def:6210
comment Microsoft Windows XP (32-bit) is installed
oval oval:org.mitre.oval:def:1353
comment Microsoft Windows XP x64 is installed
oval oval:org.mitre.oval:def:15247
comment Microsoft Windows Server 2003 (32-bit) is installed
oval oval:org.mitre.oval:def:1870
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Server 2008 (64-bit) is installed
oval oval:org.mitre.oval:def:5356
comment Microsoft Windows Server 2008 (32-bit) is installed
oval oval:org.mitre.oval:def:4870
comment Microsoft Windows 7 (32-bit) is installed
oval oval:org.mitre.oval:def:6165
comment Microsoft Windows 7 x64 Edition is installed
oval oval:org.mitre.oval:def:5950
comment Microsoft Windows Server 2008 R2 x64 Edition is installed
oval oval:org.mitre.oval:def:6438
comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
oval oval:org.mitre.oval:def:5954
comment Microsoft Internet Explorer 9 is installed
oval oval:org.mitre.oval:def:11985
comment Microsoft Windows Vista (32-bit) is installed
oval oval:org.mitre.oval:def:1282
comment Microsoft Windows Vista x64 Edition is installed
oval oval:org.mitre.oval:def:2041
comment Microsoft Windows Server 2008 (32-bit) is installed
oval oval:org.mitre.oval:def:4870
comment Microsoft Windows Server 2008 (64-bit) is installed
oval oval:org.mitre.oval:def:5356
comment Microsoft Windows 7 (32-bit) is installed
oval oval:org.mitre.oval:def:6165
comment Microsoft Windows 7 x64 Edition is installed
oval oval:org.mitre.oval:def:5950
comment Microsoft Windows Server 2008 R2 x64 Edition is installed
oval oval:org.mitre.oval:def:6438
comment Microsoft Internet Explorer 10 is installed
oval oval:org.mitre.oval:def:15751
comment Microsoft Windows 7 (32-bit) is installed
oval oval:org.mitre.oval:def:6165
comment Microsoft Windows 7 x64 Edition is installed
oval oval:org.mitre.oval:def:5950
comment Microsoft Windows Server 2008 R2 x64 Edition is installed
oval oval:org.mitre.oval:def:6438
comment Microsoft Windows 8 (x86) is installed
oval oval:org.mitre.oval:def:14914
comment Microsoft Windows 8 (x64) is installed
oval oval:org.mitre.oval:def:15571
comment Microsoft Windows Server 2012 (64-bit) is installed
oval oval:org.mitre.oval:def:15585
comment Microsoft Internet Explorer 11 is installed
oval oval:org.mitre.oval:def:18343
comment Microsoft Windows 8.1 is installed
oval oval:org.mitre.oval:def:18863
comment Microsoft Windows Server 2012 R2 is installed
oval oval:org.mitre.oval:def:18858

description

family

windows

oval:org.mitre.oval:def:18665

status

accepted

submitted

2013-10-15T09:59:37

title

Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893) - MS13-080

version

Packetstorm

data source	https://packetstormsecurity.com/files/download/123603/ms13_080_cdisplaypointer.rb.txt
id	PACKETSTORM:123603
last seen	2016-12-05
published	2013-10-14
reporter	sinn3r
source	https://packetstormsecurity.com/files/123603/MS13-080-Microsoft-Internet-Explorer-CDisplayPointer-Use-After-Free.html
title	MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free

data source	https://packetstormsecurity.com/files/download/123457/ie_setmousecapture_uaf.rb.txt
id	PACKETSTORM:123457
last seen	2016-12-05
published	2013-09-30
reporter	sinn3r
source	https://packetstormsecurity.com/files/123457/Microsoft-Internet-Explorer-SetMouseCapture-Use-After-Free.html
title	Microsoft Internet Explorer SetMouseCapture Use-After-Free

Saint

bid	62453
description	Internet Explorer HTML Rendering Engine onLoseCapture Use-After-Free Vulnerability
id	win_patch_ie_v6,win_patch_ie_v7,win_patch_ie_v8,win_patch_ie_v9,win_patch_ie_v10
osvdb	97380
title	ie_onlosecapture_event_uaf
type	client

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:61034
last seen	2017-11-19
modified	2013-09-18
published	2013-09-18
reporter	Root
title	Microsoft IE MSHTML内存破坏远程代码执行漏洞(CVE-2013-3893)

bulletinFamily	exploit
description	No description provided by source.
id	SSV:82516
last seen	2017-11-19
modified	2014-07-01
published	2014-07-01
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-82516
title	MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free

The Hacker News

id	THN:D6BA201E74018A71C342FC55FFDD18A0
last seen	2017-01-08
modified	2013-09-18
published	2013-09-18
reporter	Pierluigi Paganini
source	http://thehackernews.com/2013/09/microsoft-issues-emergency-fix-for_18.html
title	Microsoft issues Emergency Fix for Internet Explorer zero-day exploit

id	THN:7772BB7645946AB66D9B3F9358082C11
last seen	2017-01-08
modified	2013-09-24
published	2013-09-24
reporter	Mohit Kumar
source	http://thehackernews.com/2013/09/internet-explorer-zero-day-exploit-used.html
title	Internet Explorer zero-day exploit used watering hole attacks to target Japanese users

id	THN:652653D945C00F48ED829424A45D3937
last seen	2017-01-08
modified	2013-10-07
published	2013-10-07
reporter	Wang Wei
source	http://thehackernews.com/2013/10/October-Patch-Tuesday-Internet-Explorer-zero-day.html
title	Microsoft Patch Tuesday - 8 Security Updates, 4 critical vulnerabilities, including Internet Explorer zero-day

id	THN:1A9D68675814428FB1A1DD8C3778BCF1
last seen	2017-01-08
modified	2013-11-15
published	2013-11-15
reporter	Mohit Kumar
source	http://thehackernews.com/2013/11/Japanese-Ichitaro-zero-day-vulnerability-CVE-2013-5990.html
title	Japanese word processor 'Ichitaro' zero-day attack discovered in the wild

id	THN:7ACF921BA3C582C8760C348FD2475BC2
last seen	2017-01-08
modified	2013-10-16
published	2013-10-16
reporter	Mohit Kumar
source	http://thehackernews.com/2013/10/aslr-bypass-techniques-are-popular-with.html
title	ASLR bypass techniques are popular with APT attacks

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Metasploit

Msbulletin

Nessus

Oval

Packetstorm

Saint

Seebug

The Hacker News

References