cbcvebase.
CVE-2013-3897
published 2013-10-09

CVE-2013-3897: Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute…

PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
77.46%
99.5th percentile
Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler, as exploited in the wild in September and October 2013, aka "Internet Explorer Memory Corruption Vulnerability."

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

otherSID 28091
otherSID 28092
otherSID 28207
otherSID 28208
filenamehxds.dll
filenamemshtml.dll
  • Exploit targets MSIE 8.0 User-Agent combined with 'ko' (Korean) or 'ja' (Japanese) systemLanguage; the malicious JavaScript deactivates itself if these conditions are not met.
  • Exploit JavaScript uses multiple calls to Math.atan2() with string parameters as a debugging/anti-analysis technique; presence of Math.atan2() calls with string arguments in obfuscated JS is a behavioral indicator.
  • The vulnerability is triggered via the 'onpropertychange' event handler on a DOM tree where a CBlockElement follows a CTextArea element; monitor for suspicious use of onpropertychange in conjunction with select() and node swaps.
  • The exploit leverages a ROP chain from hxds.dll (MS Help Data Services Module, installed with Microsoft Office); presence of hxds.dll in IE process ROP gadget chains is a strong indicator of exploitation.
  • The CDisplayPointer object is a 0x48-byte HeapAlloc; heap spray or use-after-free crash signatures involving a 0x48-byte freed object in mshtml.dll are indicative of this exploit.
  • Exploit was originally found on a public JavaScript unpacker site; monitor threat intel feeds and JS unpacker/deobfuscator sites for malicious IE exploit samples targeting East Asian language users.
  • ·Exploit is specifically targeted at IE8 on Windows XP with Korean ('ko') or Japanese ('ja') system language; exploitation against other IE versions or language configurations was not observed in the wild for this sample.
  • ·The Snort/Talos TRUFFLE rules (SIDs 28091 & 28092) were initially private/obfuscated; public coverage was later released as SIDs 28207 & 28208. Ensure the public SIDs are deployed rather than relying on TRUFFLE-only coverage.
  • ·The ROP chain in the working exploit relies on hxds.dll being present (installed with Microsoft Office); systems without Office may not be exploitable via this specific ROP chain, but other gadget sources may apply.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.