martes, 14 de diciembre de 2010

:::SPAS3C-SV-003:::INTERNET EXPLORER 6/7/8 MEMORY CORRUPTION VULNERABILITY (CVE-2010-3962/ MS10-090)

At last, I can talk about a vulnerability which was publicly known because it was being exploited in the wild. Today I would have liked to disclose my exploit, but it (including a metasploit module) is available one month ago, so i cannot give more information, just my experience and a repository of interesting links about it.


  • Description:

This one was very nice to find it. Someone talked about a smart vuln, because it only needed one line of HTML code to trigger it, one html tag and two different styles. But when I found, about five months ago, I discovered it using this poc:

----------------------------------------poc.html------------------------------------------------

<table style = 'position: absolute;clip: rect(5px, 55px, 45px, 5px);' > <hr />

----------------------------------------poc.html------------------------------------------------

The reason is that my fuzzer always tries to get a correct HTML code and applies fuzzing on some styles, properties, etc.

On late of June, my fuzzer gets a working poc triggering the vuln. I was very newbie on exploiting but I noticed that it could be easily exploited. I sent it on iDefense and they confirmed the vulnerability on early of July.

On September, I had learnt something on exploiting because I needed to sell other stuff and this buyer needed working exploits, so when the other job was finished, I thought that it would be interesting to use my new knowledge as exploit writer, so I did my own exploits and it was very simple using heap spraying. I stored all until today, but it would be silly to release when there is many information and exploits about this issue.

Finally, this is my history about CVE-2010-3962 or MS10-090. I have to admit that this vuln has taught me to have more experience as bug hunter. It was very nice, easy for finding (so easy for losing) and it was alive from version 6.

Good bye 0day, I always will remember you :_(

  • Links (interesting stuff):



Be safe ;)

No hay comentarios: