what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Internet Explorer 8 MSHTML Ptls5::LsFindSpanVisualBoundaries Memory Corruption

Microsoft Internet Explorer 8 MSHTML Ptls5::LsFindSpanVisualBoundaries Memory Corruption
Posted Nov 22, 2016
Authored by SkyLined

Microsoft Internet Explorer 8 suffers from an MSHTML Ptls5::LsFindSpanVisualBoundaries memory corruption vulnerability.

tags | exploit
SHA-256 | 39193e6a0c7f58240b0b440fbf410393465f8e4e139f4ef637e931620333d816

Microsoft Internet Explorer 8 MSHTML Ptls5::LsFindSpanVisualBoundaries Memory Corruption

Change Mirror Download
Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
fifteenth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161121001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE8 MSHTML Ptls5::LsFindSpanVisualBoundaries memory corruption
================================================================
(The fix and CVE number for this bug are unknown)

Synopsis
--------
A specially crafted web-page can cause an unknown type of memory
corruption in Microsoft Internet Explorer 8. This vulnerability can
cause the `Ptls5::LsFindSpanVisualBoundaries` method (or other methods
called by it) to access arbitrary memory.

Known affected software, attack vectors and mitigations
-------------------------------------------------------
* Microsoft Internet Explorer 8

An attacker would need to get a target user to open a specially
crafted web-page. JavaScript is not necessarily required to trigger
the issue.

Description
-----------
The memory corruption causes the `Ptls5::LsFindSpanVisualBoundaries`
method to access data at seemingly random addresses. However, these
addresses appear to always be in the same range as valid heap addresses,
even if they are often not DWORD aligned. The reason for the memory
corruption is not immediately obvious.

Time-line
---------
* July 2014: This vulnerability was found through fuzzing.
* November 2016: Details of this issue are released.

Cheers,

SkyLined



Repro.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<button>
<pre>
<x>
<sub>
<ruby>
<img height="1"/>
</ruby>
</sub>
</x>
</pre>
</button>
</body>
</html>
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close