GreenBrowser iframe content Double Free Vulnerability

[vuln () nipc org cn]

GreenBrowser searchbar <iframe> content Double Free Vulnerability
------------------------------------------------------------------
I. Summary
All versions of GreenBrowser is prone to a vulnerability which leads to arbitrary code execution. A Double Free of 
iframe object is triggered by its shortcut button F6 (use to search the content of current page). A simple poc html 
that cause the corruption contains: <iframe src="Any_File_Will_Do.swf"></iframe>
Other file extension such as xml may tigger this corruption either. Open this page and press F6 (this is the shortcut 
button to use searchbar), then press F5 to refresh this page, an error window of memory corruption will pop up. Close 
this page, close the whole GreenBrowser or jump to another page also trigger the problem since this double free occurs 
when iframe object is released.
------------------------------------------------------------------
II. Description
GreenBrowser is a IEcore based browser. A specified crafted page could lead to the execution of shellcode. Using some 
JavaScript to refresh the page can let shellcode execute automatically after a press of F6.
Search bar exists in many browsers, used mostly for a quick search over different searching engine such as Google and 
Bing. GreenBrowser defines a shortcut button F6 used to search the content of current web page (including the content 
inside iframe) for text inside the search bar. After a press of F6 for a web page with a iframe points to a flash or 
xml, GreenBrowser will call ieframe.dll!CFindEngine::DisconnectDocument then mshtml.dll!CDocument::PrivateRelease. When 
the page is refreshing or closing, GreenBrowser will call mshtml.dll!CDocument::PrivateRelease to release the iframe 
object  again. Since CDocument object has already been released once, another call of CDocument::PrivateRelease will 
use a released memory (could be shellcode using HeapSpray) as virtual function table, thus leading to a code execution 
vulnerability. Advanced memory attacking techniques such as HeapFengShui or JIT-Spray could be used to build a stable 
exploit. 

A detailed analysis and a POC of this vulnerability could be downloaded from here:
http://www.hhjack.com.cn/report/GreenBrowserDF.rar (18.5 MB).
Old and lastest version of GreenBrowser has been tested under Windows 7 and Windows XP.
------------------------------------------------------------------
III. Impact
Code execution
------------------------------------------------------------------
IV. Affected
All versions of GreenBrowser up to latest 6.0.1002 with Windows XP and Windows 7.
Other versions of windows may also be affected.
------------------------------------------------------------------
V. Solution
There is no known workaround at this time.
------------------------------------------------------------------
VI. Credit
The penetration test team Of NCNIPC (China) is credited for this vulnerability.