首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Microsoft Internet Explorer 9 - MSHTML CAttrArray Use-After-Free (MS14-056) 来源：http://blog.skylined.nl/20161101001.html 作者：Skylined 发布时间：2016-11-04   <!-- Source: http://blog.skylined.nl/20161101001.html   Synopsis   A specially crafted webpage can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.   Known affected versions, attack vectors and mitigations   Microsoft Internet Explorer 9 An attacker would need to get a target user to open a specially crafted webpage. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path. -->   <!doctype html> <script>   oTextArea = document.createElement('textarea');   oTextArea.dataSrc = 1;   oTextArea.id = 1;   oTextArea.innerHTML = 1;   oTextArea.onvolumechange = 1;   oTextArea.style.setProperty('list-style', "url()"); </script>     <!-- Analysis   The CAttrArray object initially allocates a CImplAry buffer of 0x40 bytes, which can store 4 attributes. When the buffer is full, it is grown to 0x60 bytes. A new buffer is allocated at a different location in memory and the contents of the original buffer is copied there. The repro causes the code to do this, but the code continues to access the original buffer after it has been freed.   Exploit   If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself.   Timeline   - April 2014: This vulnerability was found through fuzzing. - July 2014: This vulnerability was submitted to ZDI. - July 2014: ZDI reports a collision with a report by another researcher. (From the credits given by Microsoft and ZDI, I surmise that it was Peter 'corelanc0d3r' Van Eeckhoutte of Corelan who reported this issue. - October 2014: Microsoft release MS14-056, which addresses this issue. - November 2016: Details of this issue are released. -->   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Freefloat FTP Server 1.0 - 'DI ·Linux Kernel (Ubuntu / Fedora ·PCMan FTP Server 2.0.7 - 'UMAS ·Bassmaster 1.5.1 - Batch Arbit ·Mini Notice Board 1.1 SQL Inje ·Microsoft Internet Explorer 11 ·Caph 1.1 Local Denial Of Servi ·WinaXe 7.7 'FTP client' - Remo ·MySQL / MariaDB / PerconaDB - ·Rapid PHP Editor 14.1 - Remote ·MySQL / MariaDB / PerconaDB - ·Memcached 1.4.33 - PoC (1)   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved