$$$$$$\ $$\ $$\ $$$$$$$$\ $$$$$$\ $$$$$$\ $$\ $$$$$$$\ $$$$$$\ $$$$$$\ $$$$$$\
$$ __$$\ $$ | $$ |$$ _____| $$ __$$\ $$$ __$$\ $$$$ | $$ ____| $$ __$$\ $$$ __$$\ $$ __$$\
$$ / \__|$$ | $$ |$$ | \__/ $$ |$$$$\ $$ |\_$$ | $$ | $$ / \__|$$$$\ $$ |$$ / $$ |
$$ | \$$\ $$ |$$$$$\ $$$$$$\ $$$$$$ |$$\$$\$$ | $$ | $$$$$$$\ $$$$$$\ $$$$$$$\ $$\$$\$$ | $$$$$$ |
$$ | \$$\$$ / $$ __|\______|$$ ____/ $$ \$$$$ | $$ | \_____$$\\______|$$ __$$\ $$ \$$$$ |$$ __$$<
$$ | $$\ \$$$ / $$ | $$ | $$ |\$$$ | $$ | $$\ $$ | $$ / $$ |$$ |\$$$ |$$ / $$ |
\$$$$$$ | \$ / $$$$$$$$\ $$$$$$$$\ \$$$$$$ /$$$$$$\\$$$$$$ | $$$$$$ |\$$$$$$ /\$$$$$$ |
\______/ \_/ \________| \________| \______/ \______|\______/ \______/ \______/ \______/
Copyright 2016 © Payatu Technologies Pvt. Ltd.
Improper handling of new line and white space character caused Out of Bound Read in CDOMStringDataList::InitFromString
.
This flaw can be used to leak the base address of MSHTML.DLL
and effectively bypass Address Space Layout Randomization
.
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- IE: 10 & 11
- KB: KB3087038
- OS: Windows 7 SP1 x86
- http://www.payatu.com/advisory-ie_cdomstringdatalist/
- https://technet.microsoft.com/library/security/MS15-112
- http://www.zerodayinitiative.com/advisories/ZDI-15-547/
http://www.payatu.com/from-crash-to-exploit/
Ashfaq Ansari
ashfaq[at]payatu[dot]com
@HackSysTeam | Blog | null