Wednesday, January 2, 2013

CVE-2012-4792 & Hook Analyser

Browsing GOOGLE I came across this tool called Hook Analyzer. It basically allows one to spawn a process or hook into existing process using the tool provided and later on scans process to find potential malware traces. It had also got another module to it, which allows one to analyze the content of the memory at crash times (at specific crash points).

I had thought of giving it a try against the latest vulnerability in Microsoft Internet Explorer that's exploited in the wild referenced by CVE-2012-4792. As blogged by majority of the security firms, there is a User After Free vulnerability that can be exploited remotely and is known to affect Internet Explorer version 6, 7 & 8.

With Hook Analyzer I was able to find the crash point and the probable reason.

var data = "";
eip.location = unescape("%u0b30%u0c0c" + data);

Take a look at the referenced memory location by EAX and EDI registers in the snapshot above. It's conclusive that EDI is pointing to some data in the HEAP that was freed earlier and has been referenced by some code later in the process. And there's definitely that particular region of the memory that's re-used (even after release) which ended up in EAX pointing to memory 0x0C0C0B30, paving way for a classic Use After Free vulnerability.

No comments:

Post a Comment