exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Internet Explorer 8 MSHTML Ptls5::LsFindSpanVisualBoundaries Memory Corruption

Microsoft Internet Explorer 8 MSHTML Ptls5::LsFindSpanVisualBoundaries Memory Corruption
Posted Nov 22, 2016
Authored by SkyLined

Microsoft Internet Explorer 8 suffers from an MSHTML Ptls5::LsFindSpanVisualBoundaries memory corruption vulnerability.

tags | exploit
SHA-256 | 39193e6a0c7f58240b0b440fbf410393465f8e4e139f4ef637e931620333d816

Microsoft Internet Explorer 8 MSHTML Ptls5::LsFindSpanVisualBoundaries Memory Corruption

Change Mirror Download
Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
fifteenth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161121001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE8 MSHTML Ptls5::LsFindSpanVisualBoundaries memory corruption
================================================================
(The fix and CVE number for this bug are unknown)

Synopsis
--------
A specially crafted web-page can cause an unknown type of memory
corruption in Microsoft Internet Explorer 8. This vulnerability can
cause the `Ptls5::LsFindSpanVisualBoundaries` method (or other methods
called by it) to access arbitrary memory.

Known affected software, attack vectors and mitigations
-------------------------------------------------------
* Microsoft Internet Explorer 8

An attacker would need to get a target user to open a specially
crafted web-page. JavaScript is not necessarily required to trigger
the issue.

Description
-----------
The memory corruption causes the `Ptls5::LsFindSpanVisualBoundaries`
method to access data at seemingly random addresses. However, these
addresses appear to always be in the same range as valid heap addresses,
even if they are often not DWORD aligned. The reason for the memory
corruption is not immediately obvious.

Time-line
---------
* July 2014: This vulnerability was found through fuzzing.
* November 2016: Details of this issue are released.

Cheers,

SkyLined



Repro.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<button>
<pre>
<x>
<sub>
<ruby>
<img height="1"/>
</ruby>
</sub>
</x>
</pre>
</button>
</body>
</html>
Login or Register to add favorites

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    32 Files
  • 5
    Dec 5th
    10 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    23 Files
  • 8
    Dec 8th
    18 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close