CVE-2013-0025
published 2013-02-13CVE-2013-0025: Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to…
PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
55.77%
98.9th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer SLayoutRun Use After Free Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff
bytes↗
\x0c\x0c\x0c\x0c
- →Exploit targets IE 8 on Windows XP SP3 exclusively; User-Agent strings matching 'MSIE 8' and 'Windows NT 5.1' should be treated as high-risk in the context of this CVE. ↗
- →Exploit delivery uses a heap spray with 0x0c0c0c0c NOP sled pattern; detect repeated 0x0c bytes in JavaScript heap allocations. ↗
- →Exploit uses a stack-adjustment prepend encoder stub (add esp, -3500 / 0x81 0xc4 0x54 0xf2 0xff 0xff); presence of this byte sequence in shellcode is a strong indicator. ↗
- →Exploit triggers the UAF by setting document.body.style.whiteSpace to 'pre-line' followed by CollectGarbage() to force CDoc relayout; monitor for this JS pattern in browser traffic. ↗
- →Metasploit module uses heapLib.ie with 0x20000-byte heap blocks for spray; large numbers of 0x20000-byte allocations via heapLib in IE 8 are indicative of exploitation. ↗
- →Exploit variant (24495) uses an iframe with a randomly named HTML file as the initial delivery vector; monitor for iframes loading randomly named .html resources from the same origin. ↗
- →ROP chain uses msvcrt gadget at 0x77c39f92 (RETN sled) on Windows XP; presence of this address repeated in memory or network payload is a strong exploit indicator. ↗
- →Post-exploitation default auto-run script is 'migrate -f' (Meterpreter process migration); monitor for unexpected process migration activity following iexplore.exe. ↗
- ·The exploit only targets IE 8 on Windows XP SP3; the 'Automatic' target mode fingerprints the victim via User-Agent before delivering the payload, so non-matching browsers receive a 404. ↗
- ·JavaScript obfuscation is optional (disabled by default); detections based on static JS signatures may miss obfuscated variants when OBFUSCATE is enabled. ↗
- ·The ROP chain is generated specifically for msvcrt on Windows XP; the gadget address 0x77c39f92 is XP-specific and will differ on other OS versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TP-Link TL-WR1043N Router - Cross-Site Request Forgery
exploitdb·2013-04-24
CVE-2013-2645 TP-Link TL-WR1043N Router - Cross-Site Request Forgery
TP-Link TL-WR1043N Router - Cross-Site Request Forgery
---
source: https://www.securityfocus.com/bid/59442/info
The TP-Link TL-WR1043N Router is prone to a cross-site request-forgery vulnerability.
Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device.
d> Cisco WRT310Nv2 Firmware v2.0.01 CSRF/XSS function PwN() {document.CSRFxssPWN.submit();}; window.setTimeout(PwN, 0025);
Exploit-DB
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2)
exploitdb·2013-02-23
CVE-2013-0025 Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2)
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free",
'Description' => %q{
This module exploits a use-after-free vulnerability in Microsoft Internet Explorer
where a CParaElement node is released but a reference is still kept
in CDoc. This memory is reused when a CDoc relayout is performed.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Scott Bell ' # Vulnerability discovery & Metasploit module
],
'Refe
Exploit-DB
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1)
exploitdb·2013-02-14
CVE-2013-0025 Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1)
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Microsoft Internet Explorer SLayoutRun Use-After-Free",
'Description' => %q{
This module exploits a use-after-free vulnerability in Microsoft Internet Explorer
where a CParaElement node is released but a reference is still kept
in CDoc. This memory is reused when a CDoc relayout is performed.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Scott Bell ', # Vulnerability discovery & Metasploit module
],
'References'
Metasploit
MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free
metasploit
MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free
MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free
This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed.
arXiv
SOK: On the Analysis of Web Browser Security
arxiv_fulltext·2021-12-31
SOK: On the Analysis of Web Browser Security
: On the Analysis of Web Browser Security
fancyplain
Rev.
\ of LastPage
Jungwon Lim*,\;
Yonghwi Jin*^ ,\;
Mansour Alharthi,\;
Xiaokuan Zhang,\;
Jinho Jung,\;
Rajat Gupta,\;
Kuilin Li,\;
Daehee Jang^ ,\;
Taesoo Kim\;
Georgia Institute of Technology ^ Theori Inc. ^ Sungshin Women's University
## Abstract
Web browsers are integral parts of everyone's daily life.
They are commonly used
for security-critical and privacy sensitive tasks,
like banking transactions and checking medical records.
Unfortunately,
modern web browsers are
too complex to be bug free
( , 25 million lines of code in Chrome),
and their role as an interface to the cyberspace
makes them an attractive target for attacks.
Accordingly,
web browsers naturally
become an arena for demonstrating
advanced exploitation techni
arXiv
Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption
arxiv_fulltext·2018-08-08
Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption
Rethinking Misalignment to Raise the Bar for Heap Pointer Corruption
Daehee Jang
KAIST
[email protected]
Hojoon Lee
KAIST
[email protected]
Brent Byunghoon Kang
KAIST
[email protected]
Michael Shell
Georgia Institute of Technology
[email protected]
Homer Simpson
Twentieth Century Fox
[email protected]
James Kirk
and Montgomery Scott
Starfleet Academy
[email protected]
\@IEEEpubidpullup9
Permission to freely reproduce all or part
of this paper for noncommercial purposes is granted provided that
copies bear this notice and the full citation on the first
page. Reproduction for commercial purposes is strictly prohibited
without the prior written consent of the Internet Society, the
first-named author (for reproduction of an entire paper only), and
the
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Zscaler
Zscaler found Multiple Security Vulnerabilities | 02-12-2013
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 02-12-2013
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bugzilla
CVE-2013-6443 CFME: GET request CSRF vulnerability
bugzilla·2013-12-17·CVSS 6.8
CVE-2013-6443 [MEDIUM] CVE-2013-6443 CFME: GET request CSRF vulnerability
CVE-2013-6443 CFME: GET request CSRF vulnerability
Martin Povolny of Red Hat reports:
Researching the problem I have found one more issue and that would be
allowing GET request on destructive actions allowing the Rails
protect_from_forgery mechanism to be bypassed.
Discussion:
Acknowledgements:
This issue was discovered by Martin Povolný of Red Hat.
---
This issue has been addressed in following products:
CloudForms Management Engine 5.x
Via RHSA-2014:0025 https://rhn.redhat.com/errata/RHSA-2014-0025.html
http://www.us-cert.gov/cas/techalerts/TA13-043B.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-009https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16294http://www.us-cert.gov/cas/techalerts/TA13-043B.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-009https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16294
2013-02-13
Published