Microsoft Windows IE Vulnerability attacks spotted in the wild

January 23, 2014

Dell Sonicwall Threats Research team has found Internet Explorer vulnerability (CVE-2013-2551) still being exploited in the wild.
This use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code
via a crafted web site that triggers access to a deleted object.

This vulnerability has already been patched.

Following is an in-depth analysis of the attack.

Below is the crash code:

Due to this vulnerability attacker is able to control data in memory. In this case its from address 0x0c0c0c0c

The crash point:

Malicious javascript used to create a ROP Chain as follows:

We can see how the ROP Chain translates into memory

The stack trace:

We can see how the memory 0x0c0c0c0c is being written into.

Dell SonicWALL protects against this threat with the following signatures:

  • IPS: 9897 Windows IE VML shape object Memory Corruption 1 (MS13-037)
  • IPS: 9915 Windows IE VML shape object Memory Corruption 2 (MS13-037)