cbcvebase.
CVE-2012-4969
published 2012-09-18

CVE-2012-4969: Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute…

PriorityP187high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
81.72%
99.6th percentile
Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

pathmshtml.dll
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2"; flow:established,to_client; file.data; content:"execCommand"; nocase; content:"YMjf"; content:"u0c08"; distance:1; within:6; content:"u0c0cKDog"; distance:1; within:10; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2020099; rev:10; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2015_01_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, confidence Low, signature_severity Major, tag Web_Client_Attacks, tag Metasploit, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)
bytes
\x81\xc4\x54\xf2\xff\xff
  • The exploit triggers the UAF via JavaScript calling document.execCommand('selectAll') inside an iframe, combined with a heap spray using the distinctive string 'YMjf\u0c08\u0c0cKDog' as the img src value. Network detection should look for this string pattern in HTTP responses.
  • The crash/exploitation point is mshtml!CMshtmlEd::Exec+0x134 at address 637d464e, where EDI is controlled (0x0c0c0c08) — indicative of heap spray with 0x0c0c0c0c pattern. Monitor for heap spray patterns targeting this address range.
  • For WinXP SP3 with IE8, the ROP chain uses msvcrt ROP gadgets at hardcoded addresses (0x77c4e393, 0x77c4e392, 0x77c15ed5). For Vista/Win7 with IE8/IE9, JRE ROP gadgets at 0x7c347f98, 0x7c347f97, 0x7c348b05 are used. Presence of these ROP gadget addresses in memory or network payload is a strong indicator.
  • The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning post-exploitation process migration occurs immediately. Analysts should look for iexplore.exe spawning unexpected child processes shortly after exploitation.
  • The exploit is delivered via a browser-based HTTP server; the module generates two random-named HTML files (5 and 6 alpha chars, e.g. 'xxxxx.html' and 'xxxxxx.html'). The initial request is redirected to the first HTML, which loads the second via an iframe. Detecting sequential requests to two random short .html paths from the same client is a behavioral indicator.
  • The exploit targets IE 7–9 specifically. User-Agent strings with MSIE versions 7.0 through 9.0 are required; the module rejects other browsers with a 404. Correlate IE 7/8/9 User-Agent requests to suspicious or newly-seen domains with this exploit pattern.
  • ·ROP chain validity depends on target OS and installed software. For WinXP SP3 with IE8, msvcrt must be present. For Vista or Win7 with IE8/IE9, JRE 1.6.x or below must be installed. Exploitation will fail if these dependencies are not met.
  • ·The Metasploit module supports an optional OBFUSCATE option to enable JavaScript obfuscation, which may evade content-based signatures looking for plaintext JavaScript patterns.
  • ·Exploitation was observed in the wild starting September 14, 2012, before a patch was available. Public Metasploit module availability broadened the threat beyond targeted attacks.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.