CVE-2009-3672
published 2009-12-02CVE-2009-3672: Microsoft Internet Explorer 6 and 7 does not properly handle objects in memory that (1) were not properly initialized or (2) are deleted, which allows remote…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
71.80%
99.3th percentile
Microsoft Internet Explorer 6 and 7 does not properly handle objects in memory that (1) were not properly initialized or (2) are deleted, which allows remote attackers to execute arbitrary code via vectors involving a call to the getElementsByTagName method for the STYLE tag name, selection of the single element in the returned list, and a change to the outerHTML property of this element, related to Cascading Style Sheets (CSS) and mshtml.dll, aka "HTML Object Memory Corruption Vulnerability." NOTE: some of these details are obtained from third party information. NOTE: this issue was originally assigned CVE-2009-4054, but Microsoft assigned a duplicate identifier of CVE-2009-3672. CVE consumers should use this identifier instead of CVE-2009-4054.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit trigger pattern: JavaScript call to getElementsByTagName('STYLE') followed by assignment to outerHTML on the returned element, which is the specific trigger for the memory corruption. ↗
- →Detect heap spray using the 0x0c0c0c0c address pattern (%u0c0c%u0c0c) in JavaScript unescape calls within HTML delivered to Internet Explorer, a hallmark of this exploit's shellcode staging. ↗
- →HTTP responses exploiting this vulnerability use gzip compression and chunked transfer encoding; monitor for text/html responses with both 'Content-Encoding: gzip' and 'Transfer-Encoding: chunked' containing STYLE tag manipulation JavaScript. ↗
- →Flag HTML pages targeting IE6/IE7 on Windows that contain inline JavaScript performing outerHTML modification on a STYLE element retrieved via getElementsByTagName, combined with a large unescape-based heap spray loop. ↗
- →Monitor for known crash/EIP values in mshtml.dll associated with this vulnerability on specific OS/IE version combinations: 0x501d6bd8 (Vista IE7 mshtml 7.0.6001.18203), 0xc5fe7dc9 (XP SP3 IE6 mshtml 6.0.2900.5848), 0x6e767fae (2k3 SP2 IE6 mshtml 6.0.3790.4470), 0x6cf941a7 (2k3 SP2 IE7 mshtml 7.0.6000.16825). ↗
- ·The Metasploit module uses randomized JavaScript variable names (rand_text_alpha) for all key variables, making static string-based signatures unreliable; detection must focus on behavioral patterns (getElementsByTagName('STYLE') + outerHTML mutation + heap spray) rather than fixed variable names. ↗
- ·The exploit payload space is limited to 1000 bytes with null bytes as bad characters; staged/larger payloads may not function correctly in this exploit. ↗
- ·On Windows XP SP3 with IE7 (mshtml.dll 7.0.5730.13), the exploit results in a null dereference rather than reliable code execution, reducing its effectiveness on that specific target. ↗
- ·This CVE was originally assigned CVE-2009-4054; CVE-2009-3672 is the authoritative Microsoft-assigned identifier. Detection rules and threat intel referencing CVE-2009-4054 should be updated to use CVE-2009-3672. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - Style getElementsByTagName Memory Corruption (MS09-072) (Metasploit)
exploitdb·2010-07-12
CVE-2009-3672 Microsoft Internet Explorer - Style getElementsByTagName Memory Corruption (MS09-072) (Metasploit)
Microsoft Internet Explorer - Style getElementsByTagName Memory Corruption (MS09-072) (Metasploit)
---
##
# $Id: ms09_072_style_object.rb 9787 2010-07-12 02:51:50Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
# :ua_minver => "6.0",
# :ua_maxver => "7.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :vuln_test => nil, # no way to test without just trying it
# :rank => LowRanking # exploitable on ie7/vista
#})
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer Style
Metasploit
MS09-072 Microsoft Internet Explorer Style getElementsByTagName Memory Corruption
metasploit
MS09-072 Microsoft Internet Explorer Style getElementsByTagName Memory Corruption
MS09-072 Microsoft Internet Explorer Style getElementsByTagName Memory Corruption
This module exploits a vulnerability in the getElementsByTagName function as implemented within Internet Explorer.
No writeups or analysis indexed.
http://secunia.com/advisories/37448http://www.kb.cert.org/vuls/id/515749http://www.microsoft.com/technet/security/advisory/977981.mspxhttp://www.securityfocus.com/archive/1/507984/100/0/threadedhttp://www.securityfocus.com/bid/37085http://www.securitytracker.com/id?1023293http://www.symantec.com/connect/blogs/zero-day-internet-explorer-exploit-publishedhttp://www.us-cert.gov/cas/techalerts/TA09-342A.htmlhttp://www.vupen.com/english/advisories/2009/3301https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6381http://secunia.com/advisories/37448http://www.kb.cert.org/vuls/id/515749http://www.microsoft.com/technet/security/advisory/977981.mspxhttp://www.securityfocus.com/archive/1/507984/100/0/threadedhttp://www.securityfocus.com/bid/37085http://www.securitytracker.com/id?1023293http://www.symantec.com/connect/blogs/zero-day-internet-explorer-exploit-publishedhttp://www.us-cert.gov/cas/techalerts/TA09-342A.htmlhttp://www.vupen.com/english/advisories/2009/3301https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6381
2009-12-02
Published