Attacker Value
Unknown
Microsoft Internet Explorer Use-After-Free Vulnerability
Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability.” !
Add Assessment
2
Technical Analysis
Windbg Log
[*] in trigger() [*] Creating element SAMP [*] Creating element TH [*] Creating element RT [*] Creating element COMMAND [*] Creatig element STYLE [*] Creating element BUTTON [*] Creating element FRAME [*] Creating element TR [*] Appending element SAMP [*] Appending element TH [*] Appending element RT [*] Appending element COMMAND [*] Appending element STYLE [*] Appending element BUTTON [*] Appending element FRAME [*] Appending element TR [*] Calling createTextRange() [*] Calling moveToElementText() with element RT [*] Calling moveEnd('character', 7) [*] Selecting text range [*] Executing text bold [*] Execute insdertFieldSet [*] Selecting text range again [*] Calling InsertHorizontalRule [*] CHRElement created: 0x0f45efc8 ChildEBP RetAddr Args to Child 0480be7c 6a3a14b3 0fc5ff00 0cec5528 0480beb0 MSHTML!CHRElement::CreateElement+0x16 (FPO: [3,0,4]) 0480bea8 6a420994 00000000 0480bfe4 0cec5528 MSHTML!CreateElement+0x6c (FPO: [6,3,4]) 0480bfc0 6a759a26 00000039 0480bfe4 0fe2efec MSHTML!CMarkup::CreateElement+0x430 (FPO: [4,59,4]) 0480bfe8 6ab3abc9 0cec5528 00000030 0fe2efec MSHTML!CDoc::CreateElement+0x7a (FPO: [4,1,4]) 0480c04c 6ab3a40e 0fe2efec 0a664ff0 0fcf2ff0 MSHTML!CInsertCommand::ApplyCommandToSegment+0x3c9 (FPO: [5,16,4]) 0480c0bc 6a34991f 00000002 0480cc68 00000000 MSHTML!CInsertCommand::PrivateExec+0x238 (FPO: [3,17,4]) 0480c0dc 6a349a6d 00000002 0480cc68 00000000 MSHTML!CCommand::Exec+0x44 (FPO: [4,0,4]) 0480c108 6a5c1ae5 0f74df78 6a525f54 00000866 MSHTML!CMshtmlEd::Exec+0x18f (FPO: [6,2,4]) 0480c140 6a55f2d5 040b5ff0 6a525f54 00000866 MSHTML!CEditRouter::ExecEditCommand+0x185 (FPO: [8,3,4]) 0480cc10 6a72eaed 0cf68fb8 6a525f54 00000866 MSHTML!CDoc::ExecHelper+0x4b78 (FPO: [6,679,4]) 0480cc30 6a7e0da8 0cf68fb8 6a525f54 00000866 MSHTML!CDocument::Exec+0x24 (FPO: [6,0,0]) 0480cc58 6a7313dc 0cf68fb8 00000866 0a800001 MSHTML!CBase::execCommand+0x5b (FPO: [6,0,0]) 0480cc90 6a9062ee 00000001 04b95fc4 09050000 MSHTML!CDocument::execCommand+0x95 (FPO: [8,3,4]) 0480cd20 69e08686 09735f60 10000004 0972bde0 MSHTML!CFastDOM::CDocument::Trampoline_execCommand+0x13a (FPO: [2,23,4]) 0480cd64 69e49792 09735f60 6a9061b4 10000004 jscript9!Js::JavascriptFunction::CallFunction+0xc4 (FPO: [4,5,4]) 0480cdb8 69e08686 0480cdb8 10000004 0972bde0 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x117 (FPO: [SEH]) 0480cdf8 69f5c794 09735f60 69e49697 10000004 jscript9!Js::JavascriptFunction::CallFunction+0xc4 (FPO: [4,5,4]) 0480ce18 69e9e33b 0a808958 0a802418 0905cc18 jscript9!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutCallI_OneByte>+0x43 (FPO: [0,1,0]) 0480ce44 69e9dd83 71dda4dd 0480ce80 00000000 jscript9!Js::InterpreterStackFrame::Process+0x78f (FPO: [0,6,4]) 0480ce74 69e9dcf8 0480cf2c 0905de16 0905cc18 jscript9!Js::InterpreterStackFrame::ProcessThunk+0x65 (FPO: [1,7,0]) [*] Calling insertButton [*] Freeing: 0x0f45efc8 (a00.9f0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=0f45efc8 edx=6abfd6d8 esi=0480aa78 edi=0fa08fa8 eip=6a3f96b8 esp=0480aa58 ebp=0480aa68 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 MSHTML!CTreeNode::ComputeFormats+0x9f: 6a3f96b8 8b11 mov edx,dword ptr [ecx] ds:0023:0f45efc8=???????? 0:005> !heap -p -a ecx address 0f45efc8 found in _DPH_HEAP_ROOT @ 1a1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) f6c31d4: f45e000 2000 6c9290b2 verifier!AVrfDebugPageHeapFree+0x000000c2 777766ac ntdll!RtlDebugFreeHeap+0x0000002f 7773a13e ntdll!RtlpFreeHeap+0x0000005d 777065a6 ntdll!RtlFreeHeap+0x00000142 763bc3c4 kernel32!HeapFree+0x00000014 6a36e3d2 MSHTML!CHRElement::`scalar deleting destructor'+0x00000028 6a51a705 MSHTML!CBase::PrivateRelease+0x00000086 6a56c684 MSHTML!CElement::PrivateExitTree+0x0000008a 6a4ab16f MSHTML!CSpliceTreeEngine::RemoveSplice+0x00000884 6a4a7345 MSHTML!CMarkup::SpliceTreeInternal+0x00000095 6a49cca2 MSHTML!CDoc::CutCopyMove+0x00000204 6a759ec2 MSHTML!CDoc::CutCopyMove+0x00000156 6a7584bf MSHTML!CDoc::Remove+0x0000001a 6ab56a54 MSHTML!CDeleteCommand::Delete+0x00000157 6ab31040 MSHTML!CHTMLEditor::DeleteInternal+0x00000073 6ab3ab1c MSHTML!CInsertCommand::ApplyCommandToSegment+0x0000031c 6ab3a40e MSHTML!CInsertCommand::PrivateExec+0x00000238 6a34991f MSHTML!CCommand::Exec+0x00000044 6a349a6d MSHTML!CMshtmlEd::Exec+0x0000018f 6a5c1ae5 MSHTML!CEditRouter::ExecEditCommand+0x00000185 6a55f2d5 MSHTML!CDoc::ExecHelper+0x00004b78 6a72eaed MSHTML!CDocument::Exec+0x00000024 6a7e0da8 MSHTML!CBase::execCommand+0x0000005b 6a7313dc MSHTML!CDocument::execCommand+0x00000095 6a9062ee MSHTML!CFastDOM::CDocument::Trampoline_execCommand+0x0000013a 69e08686 jscript9!Js::JavascriptFunction::CallFunction+0x000000c4 69e49792 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000117 69e08686 jscript9!Js::JavascriptFunction::CallFunction+0x000000c4 69f5c794 jscript9!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutCallI_OneByte>+0x00000043 69e9dd83 jscript9!Js::InterpreterStackFrame::ProcessThunk+0x00000065 69e9dcf8 jscript9!Js::InterpreterStackFrame::InterpreterThunk+0x00000228 0:005> !heap -p -a edi address 0fa08fa8 found in _DPH_HEAP_ROOT @ 1a1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) fa005e4: fa08fa8 54 - fa08000 2000 6c928e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77775ede ntdll!RtlDebugAllocateHeap+0x00000030 7773a40a ntdll!RtlpAllocateHeap+0x000000c4 77705ae0 ntdll!RtlAllocateHeap+0x0000023a 6a4b0703 MSHTML!CMarkup::InsertElementInternal+0x0000033c 6a4b0944 MSHTML!CDoc::InsertElement+0x0000010d 6a75840a MSHTML!CDoc::InsertElement+0x00000168 6ab3abe6 MSHTML!CInsertCommand::ApplyCommandToSegment+0x000003e6 6ab3a40e MSHTML!CInsertCommand::PrivateExec+0x00000238 6a34991f MSHTML!CCommand::Exec+0x00000044 6a349a6d MSHTML!CMshtmlEd::Exec+0x0000018f 6a5c1ae5 MSHTML!CEditRouter::ExecEditCommand+0x00000185 6a55f2d5 MSHTML!CDoc::ExecHelper+0x00004b78 6a72eaed MSHTML!CDocument::Exec+0x00000024 6a7e0da8 MSHTML!CBase::execCommand+0x0000005b 6a7313dc MSHTML!CDocument::execCommand+0x00000095 6a9062ee MSHTML!CFastDOM::CDocument::Trampoline_execCommand+0x0000013a 69e08686 jscript9!Js::JavascriptFunction::CallFunction+0x000000c4 69e49792 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000117 69e08686 jscript9!Js::JavascriptFunction::CallFunction+0x000000c4 69f5c794 jscript9!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutCallI_OneByte>+0x00000043 69e9dd83 jscript9!Js::InterpreterStackFrame::ProcessThunk+0x00000065 69e9dcf8 jscript9!Js::InterpreterStackFrame::InterpreterThunk+0x00000228 0:005> dd edi 0fa08fa8 0f45efc8 00000000 00200039 00000051 0fa08fb8 00000000 00000000 00000000 00000000 0fa08fc8 00000000 00000012 00000000 00000000 0fa08fd8 00000000 00000000 00000000 ffffffff 0fa08fe8 ffffffff 00000040 00000000 00000000 0fa08ff8 0c839c38 d0d0d0d0 ???????? ???????? 0fa09008 ???????? ???????? ???????? ???????? 0fa09018 ???????? ???????? ???????? ???????? 0:005> dd ecx 0f45efc8 ???????? ???????? ???????? ???????? 0f45efd8 ???????? ???????? ???????? ???????? 0f45efe8 ???????? ???????? ???????? ???????? 0f45eff8 ???????? ???????? ???????? ???????? 0f45f008 ???????? ???????? ???????? ???????? 0f45f018 ???????? ???????? ???????? ???????? 0f45f028 ???????? ???????? ???????? ???????? 0f45f038 ???????? ???????? ???????? ???????? 0:005> kv ChildEBP RetAddr Args to Child 0480aa68 6a3faf46 0480b14c 0fa08fa8 00000000 MSHTML!CTreeNode::ComputeFormats+0x9f (FPO: [0,2,0]) 0480b03c 6a67675c 0480b114 6a4593f0 00000000 MSHTML!CTreeNode::ComputeFormatsHelper+0x40 (FPO: [0,368,0]) 0480b044 6a4593f0 00000000 0fa24ec8 00000000 MSHTML!ISpanQualifier::GetCharFormat+0x3d (FPO: [1,0,0]) 0480b114 6a459329 0fa24ec8 00000000 0fcbafa4 MSHTML!SRunPointer::GetLineHeightProperties+0x103 (FPO: [9,45,4]) 0480b158 6a452135 0fa24ec8 0fa24ec8 00000000 MSHTML!CLineServicesClient::GetSpanLineHeightProperties+0x82 (FPO: [14,4,0]) 0480b1ac 6a452082 0fcbafa0 0fa24ec8 00000000 MSHTML!Ptls5::CLsSpanLineHeightInfo::Create+0x7d (FPO: [9,2,4]) 0480b1e8 6a451f57 0fa24ec8 00000000 00000001 MSHTML!Ptls5::CLsSpanNode::Create+0x119 (FPO: [14,2,0]) 0480b230 6a451d66 00000000 00000001 00000000 MSHTML!Ptls5::CLsSpanService::OpenSpan+0x52 (FPO: [8,1,4]) 0480b270 6a452186 0fa2aa0c 0480b2e8 00000000 MSHTML!Ptls5::LsAppendMainLine+0x2c9 (FPO: [4,3,4]) 0480b298 6a45321c 0fa2aa0c 00000000 0faf8f9c MSHTML!Ptls5::LsFormatMainLine+0x36 (FPO: [8,1,4]) 0480b48c 6a557045 0480b5b4 6a46a340 0fa24ec8 MSHTML!Ptls5::LsCreateLineCore+0x433 (FPO: [11,113,4]) 0480b560 6a47117c 00000000 00000000 00000000 MSHTML!CDoc::HasFocus+0x35 (FPO: [0,1,4]) 0480b578 6a471134 0fce0d58 0fd38f90 0480b5b8 MSHTML!HtmlLayout::FlowBoxBuilder::HasAttachedRunForBox+0x3f (FPO: [2,0,4]) 0480b5a4 6a469b90 00000000 00000000 0480b61c MSHTML!HtmlLayout::LineBox::CanBeReused+0x243 (FPO: [9,4,4]) 0480b678 6a40de7d 0480b6a4 6a4a1785 0fce0d58 MSHTML!SLayoutRun::GetLineBoxForReUse+0x63 (FPO: [10,3,4]) 0480b6f0 6a4157da 00000000 0480ba48 0fce0d58 MSHTML!HtmlLayout::ContainerBox::GetScrollBarSize+0x14 (FPO: [0,0,4]) 0480b704 6a46d1c2 0fd64d58 0fd64d58 0fe8cfe0 MSHTML!HtmlLayout::FlowBoxBuilder::CreateDisplayNodeForChildIfForDisplay+0x39 (FPO: [1,0,4]) 0480b884 6a415d63 0fe8cfe0 0fe8cfe0 0480ba48 MSHTML!HtmlLayout::FlowBoxBuilder::OnChildBoxEntry+0xc27 (FPO: [2,87,4]) 0480b8a0 0480b8c0 6a467c8d 0480ba48 0480ba48 MSHTML!HtmlLayout::LayoutBuilder::ExitBlock+0x86 (FPO: [2,1,4]) WARNING: Frame IP not in any known module. Following frames may be wrong. 0480b8c0 6a414a5c 0480b9f0 0480ba34 00000000 0x480b8c0
General Information
