Attacker Value
Unknown
0

Microsoft Internet Explorer Use-After-Free Vulnerability

Last updated April 06, 2020

Exploitability

(1 user assessed) Unknown
Attack Vector
Unknown
Privileges Required
Unknown
User Interaction
Unknown

Description

Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability.” !

Add Assessment

2
Technical Analysis

Windbg Log

[*] in trigger()
[*] Creating element SAMP
[*] Creating element TH
[*] Creating element RT
[*] Creating element COMMAND
[*] Creatig element STYLE
[*] Creating element BUTTON
[*] Creating element FRAME
[*] Creating element TR
[*] Appending element SAMP
[*] Appending element TH
[*] Appending element RT
[*] Appending element COMMAND
[*] Appending element STYLE
[*] Appending element BUTTON
[*] Appending element FRAME
[*] Appending element TR
[*] Calling createTextRange()
[*] Calling moveToElementText() with element RT
[*] Calling moveEnd('character', 7)
[*] Selecting text range
[*] Executing text bold
[*] Execute insdertFieldSet
[*] Selecting text range again
[*] Calling InsertHorizontalRule
[*] CHRElement created: 0x0f45efc8

ChildEBP RetAddr  Args to Child
0480be7c 6a3a14b3 0fc5ff00 0cec5528 0480beb0 MSHTML!CHRElement::CreateElement+0x16 (FPO: [3,0,4])
0480bea8 6a420994 00000000 0480bfe4 0cec5528 MSHTML!CreateElement+0x6c (FPO: [6,3,4])
0480bfc0 6a759a26 00000039 0480bfe4 0fe2efec MSHTML!CMarkup::CreateElement+0x430 (FPO: [4,59,4])
0480bfe8 6ab3abc9 0cec5528 00000030 0fe2efec MSHTML!CDoc::CreateElement+0x7a (FPO: [4,1,4])
0480c04c 6ab3a40e 0fe2efec 0a664ff0 0fcf2ff0 MSHTML!CInsertCommand::ApplyCommandToSegment+0x3c9 (FPO: [5,16,4])
0480c0bc 6a34991f 00000002 0480cc68 00000000 MSHTML!CInsertCommand::PrivateExec+0x238 (FPO: [3,17,4])
0480c0dc 6a349a6d 00000002 0480cc68 00000000 MSHTML!CCommand::Exec+0x44 (FPO: [4,0,4])
0480c108 6a5c1ae5 0f74df78 6a525f54 00000866 MSHTML!CMshtmlEd::Exec+0x18f (FPO: [6,2,4])
0480c140 6a55f2d5 040b5ff0 6a525f54 00000866 MSHTML!CEditRouter::ExecEditCommand+0x185 (FPO: [8,3,4])
0480cc10 6a72eaed 0cf68fb8 6a525f54 00000866 MSHTML!CDoc::ExecHelper+0x4b78 (FPO: [6,679,4])
0480cc30 6a7e0da8 0cf68fb8 6a525f54 00000866 MSHTML!CDocument::Exec+0x24 (FPO: [6,0,0])
0480cc58 6a7313dc 0cf68fb8 00000866 0a800001 MSHTML!CBase::execCommand+0x5b (FPO: [6,0,0])
0480cc90 6a9062ee 00000001 04b95fc4 09050000 MSHTML!CDocument::execCommand+0x95 (FPO: [8,3,4])
0480cd20 69e08686 09735f60 10000004 0972bde0 MSHTML!CFastDOM::CDocument::Trampoline_execCommand+0x13a (FPO: [2,23,4])
0480cd64 69e49792 09735f60 6a9061b4 10000004 jscript9!Js::JavascriptFunction::CallFunction+0xc4 (FPO: [4,5,4])
0480cdb8 69e08686 0480cdb8 10000004 0972bde0 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x117 (FPO: [SEH])
0480cdf8 69f5c794 09735f60 69e49697 10000004 jscript9!Js::JavascriptFunction::CallFunction+0xc4 (FPO: [4,5,4])
0480ce18 69e9e33b 0a808958 0a802418 0905cc18 jscript9!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutCallI_OneByte>+0x43 (FPO: [0,1,0])
0480ce44 69e9dd83 71dda4dd 0480ce80 00000000 jscript9!Js::InterpreterStackFrame::Process+0x78f (FPO: [0,6,4])
0480ce74 69e9dcf8 0480cf2c 0905de16 0905cc18 jscript9!Js::InterpreterStackFrame::ProcessThunk+0x65 (FPO: [1,7,0])

[*] Calling insertButton
[*] Freeing: 0x0f45efc8

(a00.9f0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=0f45efc8 edx=6abfd6d8 esi=0480aa78 edi=0fa08fa8
eip=6a3f96b8 esp=0480aa58 ebp=0480aa68 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
MSHTML!CTreeNode::ComputeFormats+0x9f:
6a3f96b8 8b11            mov     edx,dword ptr [ecx]  ds:0023:0f45efc8=????????
0:005> !heap -p -a ecx
    address 0f45efc8 found in
    _DPH_HEAP_ROOT @ 1a1000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    f6c31d4:          f45e000             2000
    6c9290b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    777766ac ntdll!RtlDebugFreeHeap+0x0000002f
    7773a13e ntdll!RtlpFreeHeap+0x0000005d
    777065a6 ntdll!RtlFreeHeap+0x00000142
    763bc3c4 kernel32!HeapFree+0x00000014
    6a36e3d2 MSHTML!CHRElement::`scalar deleting destructor'+0x00000028
    6a51a705 MSHTML!CBase::PrivateRelease+0x00000086
    6a56c684 MSHTML!CElement::PrivateExitTree+0x0000008a
    6a4ab16f MSHTML!CSpliceTreeEngine::RemoveSplice+0x00000884
    6a4a7345 MSHTML!CMarkup::SpliceTreeInternal+0x00000095
    6a49cca2 MSHTML!CDoc::CutCopyMove+0x00000204
    6a759ec2 MSHTML!CDoc::CutCopyMove+0x00000156
    6a7584bf MSHTML!CDoc::Remove+0x0000001a
    6ab56a54 MSHTML!CDeleteCommand::Delete+0x00000157
    6ab31040 MSHTML!CHTMLEditor::DeleteInternal+0x00000073
    6ab3ab1c MSHTML!CInsertCommand::ApplyCommandToSegment+0x0000031c
    6ab3a40e MSHTML!CInsertCommand::PrivateExec+0x00000238
    6a34991f MSHTML!CCommand::Exec+0x00000044
    6a349a6d MSHTML!CMshtmlEd::Exec+0x0000018f
    6a5c1ae5 MSHTML!CEditRouter::ExecEditCommand+0x00000185
    6a55f2d5 MSHTML!CDoc::ExecHelper+0x00004b78
    6a72eaed MSHTML!CDocument::Exec+0x00000024
    6a7e0da8 MSHTML!CBase::execCommand+0x0000005b
    6a7313dc MSHTML!CDocument::execCommand+0x00000095
    6a9062ee MSHTML!CFastDOM::CDocument::Trampoline_execCommand+0x0000013a
    69e08686 jscript9!Js::JavascriptFunction::CallFunction+0x000000c4
    69e49792 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000117
    69e08686 jscript9!Js::JavascriptFunction::CallFunction+0x000000c4
    69f5c794 jscript9!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutCallI_OneByte>+0x00000043
    69e9dd83 jscript9!Js::InterpreterStackFrame::ProcessThunk+0x00000065
    69e9dcf8 jscript9!Js::InterpreterStackFrame::InterpreterThunk+0x00000228


0:005> !heap -p -a edi
    address 0fa08fa8 found in
    _DPH_HEAP_ROOT @ 1a1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 fa005e4:          fa08fa8               54 -          fa08000             2000
    6c928e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77775ede ntdll!RtlDebugAllocateHeap+0x00000030
    7773a40a ntdll!RtlpAllocateHeap+0x000000c4
    77705ae0 ntdll!RtlAllocateHeap+0x0000023a
    6a4b0703 MSHTML!CMarkup::InsertElementInternal+0x0000033c
    6a4b0944 MSHTML!CDoc::InsertElement+0x0000010d
    6a75840a MSHTML!CDoc::InsertElement+0x00000168
    6ab3abe6 MSHTML!CInsertCommand::ApplyCommandToSegment+0x000003e6
    6ab3a40e MSHTML!CInsertCommand::PrivateExec+0x00000238
    6a34991f MSHTML!CCommand::Exec+0x00000044
    6a349a6d MSHTML!CMshtmlEd::Exec+0x0000018f
    6a5c1ae5 MSHTML!CEditRouter::ExecEditCommand+0x00000185
    6a55f2d5 MSHTML!CDoc::ExecHelper+0x00004b78
    6a72eaed MSHTML!CDocument::Exec+0x00000024
    6a7e0da8 MSHTML!CBase::execCommand+0x0000005b
    6a7313dc MSHTML!CDocument::execCommand+0x00000095
    6a9062ee MSHTML!CFastDOM::CDocument::Trampoline_execCommand+0x0000013a
    69e08686 jscript9!Js::JavascriptFunction::CallFunction+0x000000c4
    69e49792 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000117
    69e08686 jscript9!Js::JavascriptFunction::CallFunction+0x000000c4
    69f5c794 jscript9!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutCallI_OneByte>+0x00000043
    69e9dd83 jscript9!Js::InterpreterStackFrame::ProcessThunk+0x00000065
    69e9dcf8 jscript9!Js::InterpreterStackFrame::InterpreterThunk+0x00000228


0:005> dd edi
0fa08fa8  0f45efc8 00000000 00200039 00000051
0fa08fb8  00000000 00000000 00000000 00000000
0fa08fc8  00000000 00000012 00000000 00000000
0fa08fd8  00000000 00000000 00000000 ffffffff
0fa08fe8  ffffffff 00000040 00000000 00000000
0fa08ff8  0c839c38 d0d0d0d0 ???????? ????????
0fa09008  ???????? ???????? ???????? ????????
0fa09018  ???????? ???????? ???????? ????????
0:005> dd ecx
0f45efc8  ???????? ???????? ???????? ????????
0f45efd8  ???????? ???????? ???????? ????????
0f45efe8  ???????? ???????? ???????? ????????
0f45eff8  ???????? ???????? ???????? ????????
0f45f008  ???????? ???????? ???????? ????????
0f45f018  ???????? ???????? ???????? ????????
0f45f028  ???????? ???????? ???????? ????????
0f45f038  ???????? ???????? ???????? ????????
0:005> kv
ChildEBP RetAddr  Args to Child
0480aa68 6a3faf46 0480b14c 0fa08fa8 00000000 MSHTML!CTreeNode::ComputeFormats+0x9f (FPO: [0,2,0])
0480b03c 6a67675c 0480b114 6a4593f0 00000000 MSHTML!CTreeNode::ComputeFormatsHelper+0x40 (FPO: [0,368,0])
0480b044 6a4593f0 00000000 0fa24ec8 00000000 MSHTML!ISpanQualifier::GetCharFormat+0x3d (FPO: [1,0,0])
0480b114 6a459329 0fa24ec8 00000000 0fcbafa4 MSHTML!SRunPointer::GetLineHeightProperties+0x103 (FPO: [9,45,4])
0480b158 6a452135 0fa24ec8 0fa24ec8 00000000 MSHTML!CLineServicesClient::GetSpanLineHeightProperties+0x82 (FPO: [14,4,0])
0480b1ac 6a452082 0fcbafa0 0fa24ec8 00000000 MSHTML!Ptls5::CLsSpanLineHeightInfo::Create+0x7d (FPO: [9,2,4])
0480b1e8 6a451f57 0fa24ec8 00000000 00000001 MSHTML!Ptls5::CLsSpanNode::Create+0x119 (FPO: [14,2,0])
0480b230 6a451d66 00000000 00000001 00000000 MSHTML!Ptls5::CLsSpanService::OpenSpan+0x52 (FPO: [8,1,4])
0480b270 6a452186 0fa2aa0c 0480b2e8 00000000 MSHTML!Ptls5::LsAppendMainLine+0x2c9 (FPO: [4,3,4])
0480b298 6a45321c 0fa2aa0c 00000000 0faf8f9c MSHTML!Ptls5::LsFormatMainLine+0x36 (FPO: [8,1,4])
0480b48c 6a557045 0480b5b4 6a46a340 0fa24ec8 MSHTML!Ptls5::LsCreateLineCore+0x433 (FPO: [11,113,4])
0480b560 6a47117c 00000000 00000000 00000000 MSHTML!CDoc::HasFocus+0x35 (FPO: [0,1,4])
0480b578 6a471134 0fce0d58 0fd38f90 0480b5b8 MSHTML!HtmlLayout::FlowBoxBuilder::HasAttachedRunForBox+0x3f (FPO: [2,0,4])
0480b5a4 6a469b90 00000000 00000000 0480b61c MSHTML!HtmlLayout::LineBox::CanBeReused+0x243 (FPO: [9,4,4])
0480b678 6a40de7d 0480b6a4 6a4a1785 0fce0d58 MSHTML!SLayoutRun::GetLineBoxForReUse+0x63 (FPO: [10,3,4])
0480b6f0 6a4157da 00000000 0480ba48 0fce0d58 MSHTML!HtmlLayout::ContainerBox::GetScrollBarSize+0x14 (FPO: [0,0,4])
0480b704 6a46d1c2 0fd64d58 0fd64d58 0fe8cfe0 MSHTML!HtmlLayout::FlowBoxBuilder::CreateDisplayNodeForChildIfForDisplay+0x39 (FPO: [1,0,4])
0480b884 6a415d63 0fe8cfe0 0fe8cfe0 0480ba48 MSHTML!HtmlLayout::FlowBoxBuilder::OnChildBoxEntry+0xc27 (FPO: [2,87,4])
0480b8a0 0480b8c0 6a467c8d 0480ba48 0480ba48 MSHTML!HtmlLayout::LayoutBuilder::ExitBlock+0x86 (FPO: [2,1,4])
WARNING: Frame IP not in any known module. Following frames may be wrong.
0480b8c0 6a414a5c 0480b9f0 0480ba34 00000000 0x480b8c0

General Information

Additional Info

Technical Analysis