cbcvebase.
CVE-2012-1876
published 2012-06-12

CVE-2012-1876: Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in memory, which allows remote attackers to execute…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
64.96%
99.1th percentile
Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access a nonexistent object, leading to a heap-based buffer overflow, aka "Col Element Remote Code Execution Vulnerability," as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

registryMSVCR71.dll
bytes
%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32%u6854%u774c%u0726%ud5ff
  • Exploit triggers via dynamic JavaScript modification of the 'span' attribute on <col> elements within a fixed-layout table, causing a heap overflow. Detect HTML pages containing fixed-layout tables with dynamically modified col span attributes via JavaScript.
  • Exploit targets Internet Explorer 8 specifically (User-Agent matching NT 5.1 or NT 6.1 with MSIE 8). Network detection should filter for IE8 UA strings delivering exploit HTML.
  • Heap spray uses large unescape() blocks with NOP sleds (%u9090) and shellcode. Detect JavaScript with repeated unescape() calls building large strings followed by heap spray allocation patterns.
  • ROP chain leverages msvcrt.dll (Windows XP) or MSVCR71.dll (Windows 7/JRE) gadgets to call VirtualProtect(). Presence of ROP gadget addresses from these modules in heap spray content is a strong indicator.
  • EMET bypass variants write NULL over EMET protection configuration structure in memory. The string 'EMET' embedded in shellcode/ROP chain is a detectable artifact.
  • The exploit spray loop builds a block of 1000 heap chunks. Detecting JavaScript that allocates exactly 1000 large heap blocks via unescape/string concatenation is indicative.
  • ·The Metasploit module only supports IE 8 on Windows XP SP3 (msvcrt ROP) and IE 8 on Windows 7 SP1 (JRE/MSVCR71.dll ROP); other IE versions (6, 7, 9, 10 Consumer Preview) are affected by the CVE but not covered by this module's targeting logic.
  • ·ROP gadget offsets in the standalone JS exploits (EDB-24017, EDB-33944, EDB-34815, EDB-35273) are hardcoded relative to a leaked 'cbuttonlayout' base address — exploitation requires a separate info-leak to resolve ASLR; the offsets are not universal across patch levels.
  • ·EMET bypass techniques differ across exploit variants: EDB-33944 targets EMET 4.1.x, EDB-34815 targets EMET 5.0, and EDB-35273 targets EMET 5.1 — detection rules tuned to one bypass variant may not catch others.
  • ·The Metasploit module payload space is limited to 1024 bytes with null bytes as bad characters; payloads exceeding this size or containing 0x00 will not function correctly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.