0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS Edge CMarkup::EnsureDeleteCFState Use-After-Free Vulnerability
[As I am sure you are by now well aware, in November I decided to start
releasing details on all vulnerabilities I found in web-browsers that I
had not released before. As I was unable to publish all of them within a
single month, I will try to continue to publish all my old
vulnerabilities, including those not in web-browser, as long as I can
find some time to do so.
This is the twenty-third entry in the series. This information is
available in more detail on my blog at
http://blog.skylined.nl/20161201001.html. There you can find a repro
that triggered this issue in addition to the information below.
Follow me on http://twitter.com/berendjanwever for daily browser bugs.
MS Edge CMarkup::EnsureDeleteCFState use-after-free
===================================================
(MS15-125, CVE-2015-6168)
Synopsis
--------
A specially crafted web-page can trigger a memory corruption
vulnerability in Microsoft Edge. I did not investigate this
vulnerability thoroughly, so I cannot speculate on the potential impact
or exploitability.
Known affected software and attack vectors
------------------------------------------
* Microsoft Edge 11.0.10240.16384
An attacker would need to get a target user to open a specially
crafted web-page. Disabling JavaScript does not prevent an attacker
from triggering the vulnerable code path.
Description
-----------
At the time this issue was first discovered, MemGC was just introduced,
and I had not yet fully appreciated what an impact it would have on
mitigating use-after-free bugs. Despite MemGC being enabled in Microsoft
Edge by default, this issue appeared to me to have been a use-after-free
vulnerability. However, both Microsoft and ZDI (whom I sold the
vulnerability to) describes it as a memory corruption vulnerability, so
it's probably more complex than I assumed.
At the time, I did not consider this vulnerability to be of great
interest, as there was no immediately obvious way of controlling the
vulnerability in order to exploit it. So, I did not do any further
investigation into the root cause and, if this was indeed a
use-after-free, how come MemGC did not mitigate it?
In hindsight, it would have been a good idea to investigate the root
cause, as any use-after-free that is not mitigated by MemGC might
provide hints on how to find more vulnerabilities that bypass it.
Time-line
---------
* August 2015: This vulnerability was found through fuzzing.
* August 2015: This vulnerability was submitted to ZDI.
* December 2015: Microsoft addresses this vulnerability in MS15-125.
* December 2016: Details of this vulnerability are released.
Cheers,
SkyLined
Repro
/<style>:first-letter{word-spacing:9
Variation
x<style>:first-letter{background-position:inherit
# 0day.today [2024-11-15] #