CVE-2013-3184
published 2013-08-14CVE-2013-3184: Microsoft Internet Explorer 7 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
58.43%
99.0th percentile
Microsoft Internet Explorer 7 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x20302020 (heap spray target address)
- →Detect exploit trigger: HTTP response containing both 'contentEditable' set to true and an 'onmove' event handler alongside execCommand calls for 'SelectAll' and 'InsertButton' — the specific combination required to trigger the UAF. ↗
- →Detect heap spray targeting address 0x20302020 in browser process memory — the Metasploit module sprays fake objects at this fixed address to control freed CFlatMarkupPointer memory. ↗
- →Flag HTTP responses with Cache-Control: no-cache and Content-Type: text/html that also contain both 'InsertButton' execCommand and heap spray JavaScript patterns — characteristic of the Metasploit delivery page. ↗
- →Monitor for mshtml.dll versions 9.0.8112.16446 through 9.0.8112.16502 loaded in iexplore.exe — these are the confirmed vulnerable version range for IE9. ↗
- →Detect use of 'migrate -f' as InitialAutoRunScript in post-exploitation — indicates Metasploit framework delivery and automatic process migration after successful exploitation. ↗
- ·The Metasploit module only covers IE9 on Windows 7 SP1 with mshtml 9.0.8112.16446; IE8 exploitation requires a different trigger not implemented in this module. ↗
- ·The UAF object is not always CFlatMarkupPointer — other objects may be freed and reused depending on heap state, which may affect crash signatures used for detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sagemcom F@st 3184 2.1.11 - Multiple Vulnerabilities
exploitdb·2013-11-08·CVSS 3.3
CVE-2013-5220 [LOW] Sagemcom F@st 3184 2.1.11 - Multiple Vulnerabilities
Sagemcom F@st 3184 2.1.11 - Multiple Vulnerabilities
---
+------------------------------------------------------------------------------+
| HOTBOX is the leading router/modem appliance of |
| HOT Cable communication company in israel. |
| The Appliance is manufactured by SAGEMCOM |
| and carries the model name F@st 3184. |
+------------------------------------------------------------------------------+
| Title: HOTBOX Multiple Vulnerabilities |
+--------------------+---------------------------------------------------------+
| Release Date | 2013/09/09 |
| Researcher | Oz Elisyan |
+--------------------+---------------------------------------------------------+
| System Affected | HOTBOX Router/Modem |
| Versions Affected | 2.1.11 , possibly earlier |
| Related CVE Numbers | CVE-2013-5037
Exploit-DB
Microsoft Internet Explorer - CFlatMarkupPointer Use-After-Free (MS13-059) (Metasploit)
exploitdb·2013-09-04
CVE-2013-3184 Microsoft Internet Explorer - CFlatMarkupPointer Use-After-Free (MS13-059) (Metasploit)
Microsoft Internet Explorer - CFlatMarkupPointer Use-After-Free (MS13-059) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free",
'Description' => %q{
This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9,
it seems to only affect certain releases of mshtml.dll. For example: This module
can be used against version 9.0.8112.16446, but not for 9.0.8112.16421. IE 8
requires a different way to trigger the vulnerability, but not currently covere
Metasploit
MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free
metasploit
MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free
MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free
This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll, ranging from a newly installed IE9 (9.0.8112.16446), to 9.00.8112.16502 (July 2013 update). IE8 requires a different way to trigger the vulnerability, but not currently covered by this module. The issue is specific to the browser's IE7 document compatibility, which can be defined in X-UA-Compatible, and the content editable mode must be enabled. An "onmove" event handler is also necessary to be able to trigger the bug, and the event will be run twice before the crash. The first time is due to the position change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftab
http://www.us-cert.gov/ncas/alerts/TA13-225Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-059https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18271http://www.us-cert.gov/ncas/alerts/TA13-225Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-059https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18271
2013-08-14
Published