cbcvebase.
CVE-2010-0248
published 2010-01-22

CVE-2010-0248: Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing…

PriorityP263high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
53.09%
98.8th percentile
Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability."

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; file.data; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; fast_pattern; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_04, cve CVE_2010_0248, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_08;)
  • Detect exploit trigger pattern in HTTP response body: presence of 'document.getElementById' with 'tableid' and '.cloneNode', combined with 'cells.urns' and 'cells.item' — all three content matches are required per the ET rule.
  • The exploit targets CTableRowCellsCollectionCacheItem::GetNext in mshtml; a use-after-free is triggered by manipulating table row cell collection objects. Look for IE process crashes or heap corruption in mshtml.dll.
  • Heap spray targets address 0x0c0c0c0c; detection of large repeated allocations filling this address range in IE process memory is indicative of exploitation.
  • The Metasploit module fingerprints victims via User-Agent: targets 'NT 5.1' + 'MSIE 8' (IE 8 on XP SP3) and 'NT 6.1' + 'MSIE 8' (IE 8 on Windows 7). Anomalous server-side UA-based redirection to exploit pages may be detectable.
  • ROP chain for IE 8 on XP SP3 uses msvcrt.dll gadgets; key ROP pivot return address is 0x77c15ed5. Presence of this address on the stack during IE execution is a strong exploit indicator.
  • ROP chain for IE 8 on Windows 7 SP0 uses JRE (msvcr71.dll) gadgets; key ROP pivot return address is 0x7c348b05. Presence of this address on the stack during IE execution is a strong exploit indicator.
  • ·The Metasploit module only supports IE 8 on Windows XP SP3 and IE 8 on Windows 7 SP0 as named targets; other IE versions (6, 6 SP1, 7) are affected by the CVE but will receive a 404 from this module.
  • ·The JRE ROP chain targets msvcr71.dll (Java Runtime Environment); this chain only works if JRE is installed on the Windows 7 target. Without JRE, the :jre ROP chain will fail.
  • ·Payload bad characters are restricted to null bytes only; payload space is limited to 1000 bytes with NOPs disabled.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.