ID CVE-2013-3893
Summary Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
References
Vulnerable Configurations
  • Microsoft Internet Explorer 6
    cpe:2.3:a:microsoft:internet_explorer:6
  • Microsoft Internet Explorer 7
    cpe:2.3:a:microsoft:internet_explorer:7
  • Microsoft Internet Explorer 8
    cpe:2.3:a:microsoft:internet_explorer:8
  • Microsoft Internet Explorer 9
    cpe:2.3:a:microsoft:internet_explorer:9
  • Microsoft Internet Explorer 10
    cpe:2.3:a:microsoft:internet_explorer:10
  • Microsoft Internet Explorer 11 Developer Preview
    cpe:2.3:a:microsoft:internet_explorer:11:developer-preview
  • Microsoft Internet Explorer 11 Release Preview
    cpe:2.3:a:microsoft:internet_explorer:11:release-preview
CVSS
Base: 9.3 (as of 01-11-2016 - 12:23)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Micorosft Internet Explorer SetMouseCapture Use-After-Free. CVE-2013-3893. Remote exploit for windows platform
id EDB-ID:28682
last seen 2016-02-03
modified 2013-10-02
published 2013-10-02
reporter metasploit
source https://www.exploit-db.com/download/28682/
title Micorosft Internet Explorer SetMouseCapture Use-After-Free
metasploit via4
  • description This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventuall this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
    id MSF:EXPLOIT/WINDOWS/BROWSER/IE_SETMOUSECAPTURE_UAF
    last seen 2019-03-13
    modified 2017-07-24
    published 2013-09-29
    reliability Normal
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
    title MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free
  • description This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called "onselect". The "onselect" event will allow us to set up for the actual event handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer object can be forced by using an "Unselect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.
    id MSF:EXPLOIT/WINDOWS/BROWSER/MS13_080_CDISPLAYPOINTER
    last seen 2019-03-23
    modified 2017-09-09
    published 2013-10-12
    reliability Normal
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
    title MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
msbulletin via4
bulletin_id MS13-080
bulletin_url
date 2013-10-08T00:00:00
impact Remote Code Execution
knowledgebase_id 2879017
knowledgebase_url
severity Critical
title Cumulative Security Update for Internet Explorer
nessus via4
  • NASL family Windows
    NASL id SMB_KB2887505.NASL
    description The remote host is missing one of the workarounds referenced in KB 2887505. The remote version of Internet Explorer (IE) reportedly has a memory corruption vulnerability related to how IE accesses an object in memory that has been deleted or has not been properly allocated. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application.
    last seen 2017-10-29
    modified 2017-08-30
    plugin id 69931
    published 2013-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69931
    title MS KB2887505: Vulnerability in Internet Explorer Could Allow Remote Code Execution
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS13-080.NASL
    description The remote host is missing Internet Explorer (IE) Security Update 2879017. The installed version of IE is affected by multiple vulnerabilities that could allow an attacker to execute arbitrary code on the remote host.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 70332
    published 2013-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70332
    title MS13-080: Cumulative Security Update for Internet Explorer (2879017)
oval via4
accepted 2014-08-18T04:02:01.658-04:00
class vulnerability
contributors
  • name SecPod Team
    organization SecPod Technologies
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows XP (32-bit) is installed
    oval oval:org.mitre.oval:def:1353
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Server 2003 (ia64) Gold is installed
    oval oval:org.mitre.oval:def:396
  • comment Microsoft Internet Explorer 7 is installed
    oval oval:org.mitre.oval:def:627
  • comment Microsoft Windows XP (32-bit) is installed
    oval oval:org.mitre.oval:def:1353
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Server 2003 (ia64) Gold is installed
    oval oval:org.mitre.oval:def:396
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft Internet Explorer 8 is installed
    oval oval:org.mitre.oval:def:6210
  • comment Microsoft Windows XP (32-bit) is installed
    oval oval:org.mitre.oval:def:1353
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (32-bit) is installed
    oval oval:org.mitre.oval:def:1870
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows 7 (32-bit) is installed
    oval oval:org.mitre.oval:def:6165
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
    oval oval:org.mitre.oval:def:5954
  • comment Microsoft Internet Explorer 9 is installed
    oval oval:org.mitre.oval:def:11985
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows 7 (32-bit) is installed
    oval oval:org.mitre.oval:def:6165
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Internet Explorer 10 is installed
    oval oval:org.mitre.oval:def:15751
  • comment Microsoft Windows 7 (32-bit) is installed
    oval oval:org.mitre.oval:def:6165
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows 8 (x86) is installed
    oval oval:org.mitre.oval:def:14914
  • comment Microsoft Windows 8 (x64) is installed
    oval oval:org.mitre.oval:def:15571
  • comment Microsoft Windows Server 2012 (64-bit) is installed
    oval oval:org.mitre.oval:def:15585
  • comment Microsoft Internet Explorer 11 is installed
    oval oval:org.mitre.oval:def:18343
  • comment Microsoft Windows 8.1 is installed
    oval oval:org.mitre.oval:def:18863
  • comment Microsoft Windows Server 2012 R2 is installed
    oval oval:org.mitre.oval:def:18858
description Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
family windows
id oval:org.mitre.oval:def:18665
status accepted
submitted 2013-10-15T09:59:37
title Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893) - MS13-080
version 75
packetstorm via4
refmap via4
bid 62453
cert TA13-288A
confirm
jvn JVN#27443259
jvndb JVNDB-2013-000093
misc http://pastebin.com/raw.php?i=Hx1L5gu6
ms MS13-080
saint via4
bid 62453
description Internet Explorer HTML Rendering Engine onLoseCapture Use-After-Free Vulnerability
id win_patch_ie_v6,win_patch_ie_v7,win_patch_ie_v8,win_patch_ie_v9,win_patch_ie_v10
osvdb 97380
title ie_onlosecapture_event_uaf
type client
the hacker news via4
Last major update 28-11-2016 - 14:09
Published 18-09-2013 - 06:08
Last modified 12-10-2018 - 18:05
Back to Top