ID CVE-2008-4844
Summary Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:internet_explorer:5.01
    cpe:2.3:a:microsoft:internet_explorer:5.01
  • Microsoft Internet Explorer 6
    cpe:2.3:a:microsoft:internet_explorer:6
  • Microsoft Internet Explorer 6 SP1
    cpe:2.3:a:microsoft:internet_explorer:6:sp1
  • Microsoft Internet Explorer 7
    cpe:2.3:a:microsoft:internet_explorer:7
CVSS
Base: 9.3 (as of 11-12-2008 - 14:53)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Internet Explorer Data Binding Memory Corruption. CVE-2008-4844. Remote exploit for windows platform
    id EDB-ID:16583
    last seen 2016-02-02
    modified 2010-09-20
    published 2010-09-20
    reporter metasploit
    source https://www.exploit-db.com/download/16583/
    title Microsoft Internet Explorer - Data Binding Memory Corruption
  • description MS Internet Explorer XML Parsing Remote Buffer Overflow Exploit 0day. CVE-2008-4844. Remote exploit for windows platform
    file exploits/windows/remote/7403.txt
    id EDB-ID:7403
    last seen 2016-02-01
    modified 2008-12-10
    platform windows
    port
    published 2008-12-10
    reporter Guido Landi
    source https://www.exploit-db.com/download/7403/
    title Microsoft Internet Explorer - XML Parsing Remote Buffer Overflow Exploit 0day
    type remote
  • description MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day. CVE-2008-4844. Remote exploit for windows platform
    file exploits/windows/remote/7410.html
    id EDB-ID:7410
    last seen 2016-02-01
    modified 2008-12-10
    platform windows
    port
    published 2008-12-10
    reporter muts
    source https://www.exploit-db.com/download/7410/
    title Microsoft Internet Explorer - XML Parsing Buffer Overflow Exploit Vista 0day
    type remote
  • id EDB-ID:7477
  • id EDB-ID:7583
metasploit via4
description This module exploits a vulnerability in the data binding feature of Internet Explorer. In order to execute code reliably, this module uses the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there.
id MSF:EXPLOIT/WINDOWS/BROWSER/MS08_078_XML_CORRUPTION
last seen 2019-03-23
modified 2017-07-24
published 2010-02-10
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms08_078_xml_corruption.rb
title MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption
msbulletin via4
bulletin_id MS08-078
bulletin_url
date 2008-12-09T00:00:00
impact Remote Code Execution
knowledgebase_id 960714
knowledgebase_url
severity Critical
title Security Update for Internet Explorer
nessus via4
NASL family Windows : Microsoft Bulletins
NASL id SMB_NT_MS08-078.NASL
description The remote host is missing the IE security update 960714. The remote version of IE is vulnerable to a memory corruption which may allow an attacker to execute arbitrary code on the remote host.
last seen 2019-02-21
modified 2018-11-15
plugin id 35221
published 2008-12-17
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=35221
title MS08-078: Microsoft Internet Explorer Security Update (960714)
oval via4
accepted 2014-08-18T04:06:06.621-04:00
class vulnerability
contributors
  • name Dragos Prisaca
    organization Gideon Technologies, Inc.
  • name Pooja Shetty
    organization SecPod Technologies
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Windows 2000 is installed
    oval oval:org.mitre.oval:def:85
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows 2000 is installed
    oval oval:org.mitre.oval:def:85
  • comment Microsoft Internet Explorer 5.01 SP4 is installed
    oval oval:org.mitre.oval:def:325
  • comment Microsoft Windows XP is installed
    oval oval:org.mitre.oval:def:105
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows XP (32-bit) is installed
    oval oval:org.mitre.oval:def:1353
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Server 2003 (ia64) Gold is installed
    oval oval:org.mitre.oval:def:396
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (ia64) Gold is installed
    oval oval:org.mitre.oval:def:396
  • comment Microsoft Internet Explorer 7 is installed
    oval oval:org.mitre.oval:def:627
  • comment Microsoft Windows XP is installed
    oval oval:org.mitre.oval:def:105
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Server 2003 (ia64) Gold is installed
    oval oval:org.mitre.oval:def:396
  • comment Microsoft Windows Vista is installed
    oval oval:org.mitre.oval:def:228
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2008 is installed
    oval oval:org.mitre.oval:def:12824
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Internet Explorer 7 is installed
    oval oval:org.mitre.oval:def:627
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Internet Explorer 7 is installed
    oval oval:org.mitre.oval:def:627
description Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.
family windows
id oval:org.mitre.oval:def:6007
status accepted
submitted 2009-02-10T16:00:00
title Pointer Reference Memory Corruption Vulnerability
version 72
packetstorm via4
refmap via4
bid 32721
cert
  • TA08-344A
  • TA08-352A
cert-vn VU#493881
confirm http://www.microsoft.com/technet/security/advisory/961051.mspx
exploit-db
  • 7403
  • 7410
  • 7477
  • 7583
hp
  • HPSBST02397
  • SSRT080187
misc
ms MS08-078
sectrack 1021381
secunia 33089
vupen ADV-2008-3391
saint via4
bid 32721
description Internet Explorer XML data binding memory corruption
id win_patch_ie_v5,win_patch_ie_v6,win_patch_ie_v7,win_patch_ie_v8
osvdb 50622
title ie_xml_span
type client
Last major update 10-01-2012 - 00:00
Published 11-12-2008 - 10:30
Last modified 12-10-2018 - 17:49
Back to Top