Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27165
HistoryOct 16, 2011 - 12:00 a.m.

Two Remote Code Execution Vulnerabilities in Internet Explorer

2011-10-1600:00:00
vulners.com
25
JSON

#######################################################################
Vulnerability 1: Internet Explorer Select Element Remote Code Execution
#######################################################################

Original advisory:
http://ifsec.blogspot.com/2011/10/internet-explorer-select-element-remote.html

I. OVERVIEW

There is a vulnerability in Internet Explorer which enables execution
of arbitrary code if the user visits a web page controlled by the
attacker. The vulnerability is caused by incorrectly validating
integer parameter passed to the 'add' method of the Select HTML
element. This vulnerability has been observed in Internet Explorer 8.
The vulnerability has been patched by Microsoft on October 11, 2011.

II. THE BUG

The bug is caused by incorrectly validating integer parameter passed
to the 'add' method of the Select HTML element under certain
conditions. The 'add' method of the Select HTML element is used to add
an Option to the Select element. It accepts two parameters:

  1. An Option object to be added
  2. An integer, specifying the index of the new Option element
    Under certain conditions, the second parameter is not properly
    validated, which can lead to corrupting memory at arbitrary address
    and, in turn, code execution.

III. IMPACT

The vulnerability can be used to execute arbitrary code in the context
of the currently logged in user if the user visits a specially crafted
web page. JavaScript needs to be enabled in order for the attacker to
be able to exploit the vulnerability (it is enabled by default in all
versions of Internet Explorer).

IV. PoC

A PoC exploit that demonstrates reliable code execution on Internet
Explorer 8 on Windows 7 SP1 has been developed. The release of the
exploit code is planned on a later date, once everyone has had plenty
of time to patch.
However, the description of the method that was used to bypass ASLR
and otherwise enable reliable code execution can be found here:
http://ifsec.blogspot.com/2011/06/memory-disclosure-technique-for.html

V. REFERENCES

http://ifsec.blogspot.com/2011/10/internet-explorer-select-element-remote.html
http://technet.microsoft.com/en-us/security/bulletin/ms11-081
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1999
http://www.zerodayinitiative.com/advisories/published/

#######################################################################
Vulnerability 2: Internet Explorer Option Element Remote Code Execution
#######################################################################

Original advisory:
http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html

I. OVERVIEW

There is a vulnerability in Internet Explorer which enables execution
of arbitrary code if the user visits a web page controlled by the
attacker. The vulnerability is caused by an use-after-free bug
triggered by accessing a previously deleted Option element. This
vulnerability has been observed in Internet Explorer versions 6, 7 and
8. The vulnerability has been patched by Microsoft on October 11,
2011.

II. THE BUG

In Internet Explorer, the implementation of Select HTML element
contains an array of pointers to the Option elements the Select
element contains. This array is called the Option cache. Normally,
whenever an Option element inside a Select element is accessed via
JavaScript, Option cache is rebuilt, thus ensuring its consistency.
However, there are some JavaScript methods that can be used to delete
and modify the Option elements contained inside the Select element
without rebuilding the Option cache. In combination, these methods
enable modifying a previously deleted Option element.

III. IMPACT

The vulnerability can be used to execute arbitrary code in the context
of the currently logged in user if the user visits a specially crafted
web page. JavaScript needs to be enabled in order for the attacker to
be able to exploit the vulnerability (it's enabled by default in all
versions of Internet Explorer).

IV. PoC

An PoC exploit that demonstrates code execution has been developed.
However, due to the severity of the vulnerability, release of the
exploit code is not planned at this time.

V. REFERENCES

http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html
http://technet.microsoft.com/en-us/security/bulletin/ms11-081
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1996
http://www.zerodayinitiative.com/advisories/published/

Related

zdt 1
prion 2
securityvulns 3
cve 2
symantec 2
checkpoint_advisories 3
packetstorm 2
seebug 2
zdi 2
nessus 1
openvas 2
mskb 1
zdt
zdt
Microsoft Internet Explorer Option Element Use-After-Free Vulnerability
2013-01-10 00:00:00
prion
prion
Remote code execution
2011-10-12 02:52:00
Remote code execution
2011-10-12 02:52:00
securityvulns
securityvulns
ZDI-11-287 : Internet Explorer Select Element Cache Remote Code Execution Vulnerability
2011-10-20 00:00:00
ZDI-11-288 : Microsoft Internet Explorer Select Element Insufficient,Type Checking Remote Code Execution Vulnerability
2011-10-20 00:00:00
Microsoft Internet Explorer multiple security vulnerabilities
2011-10-24 00:00:00
cve
cve
CVE-2011-1996
2011-10-12 02:52:00
CVE-2011-1999
2011-10-12 02:52:00
symantec
symantec
Microsoft Internet Explorer Option Element CVE-2011-1996 Memory Corruption Vulnerability
2011-10-11 00:00:00
Microsoft Internet Explorer Select Element CVE-2011-1999 Memory Corruption Vulnerability
2011-10-11 00:00:00
checkpoint_advisories
checkpoint_advisories
Internet Explorer Option Element Memory Corruption (MS11-081; CVE-2011-1996)
2011-10-11 00:00:00
Internet Explorer Option Element Memory Corruption (MS11-081) - Ver2 (CVE-2011-1996)
2014-03-03 00:00:00
Microsoft Internet Explorer Element Index Memory Corruption (MS11-081; CVE-2011-1999)
2011-10-11 00:00:00
packetstorm
packetstorm
Microsoft Internet Explorer Option Element Use-After-Free
2013-01-10 00:00:00
Microsoft Internet Explorer 8 Code Execution
2012-02-29 00:00:00
seebug
seebug
Microsoft IE Optionε…ƒη΄ ε†…ε­˜η ΄εζΌζ΄ž(MS11-081)
2011-10-12 00:00:00
Microsoft Internet Explorer Selectε…ƒη΄ ε†…ε­˜η ΄εζΌζ΄ž(MS11-081)
2011-10-12 00:00:00
zdi
zdi
Internet Explorer Select Element Cache Remote Code Execution Vulnerability
2011-10-15 00:00:00
Microsoft Internet Explorer Select Element Insufficient Type Checking Remote Code Execution Vulnerability
2011-10-15 00:00:00
nessus
nessus
MS11-081: Critical Cumulative Security Update for Internet Explorer (2586448)
2011-10-11 00:00:00
openvas
openvas
Microsoft Internet Explorer Multiple Vulnerabilities (2586448)
2011-10-12 00:00:00
Microsoft Internet Explorer Multiple Vulnerabilities (2586448)
2011-10-12 00:00:00
mskb
mskb
MS11-081: Cumulative Security Update for Internet Explorer: October 11, 2011
2020-05-21 04:42:54
JSON
Related for SECURITYVULNS:DOC:27165
zdt1prion2securityvulns3cve2symantec2checkpoint_advisories3packetstorm2seebug2zdi2nessus1openvas2mskb1