BugTraq
CVE-2015-0050: Microsoft Internet Explorer 8 MSHTML SRunPointer::SpanQualifier/RunType OOB read details Nov 22 2016 09:56AM
Berend-Jan Wever (berendj nwever nl)
Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
sixteenth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161122001.html. There you can find a repro
that triggered this issue in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 8 MSHTML SRunPointer::SpanQualifier/RunType OOB read
=========================================================
(MS15-009, CVE-2015-0050)

Synopsis
--------
A specially crafted web-page can cause Microsoft Internet Explorer 8 to
attempt to read data beyond the boundaries of a memory allocation. The
issue does not appear to be easily exploitable.

Known affected software, attack vectors and mitigations
-------------------------------------------------------
* Microsoft Internet Explorer 8

An attacker would need to get a target user to open a specially
crafted web-page. Disabling Javascript should prevent an attacker
from triggering the vulnerable code path.

Description
-----------
The issue requires rather complex manipulation of the DOM and results in
reading a value immediately following an object. The lower three bits of
this value are returned by the function doing the reading, resulting in
a return value in the range 0-7. After exhaustively skipping over the
read AV and having that function return each value, no other side
effects were noticed. For that reason I assume this issue is hard if not
impossible to exploit and did not investigate further. It is still
possible that there may be subtle effects that I did not notice that
allow exploitation in some form or other.

Time-line
---------
* *June 2014*: This vulnerability was found through fuzzing.
* *October 2014*: This vulnerability was submitted to ZDI.
* *October 2014*: This vulnerability was rejected by ZDI.
* *November 2014*: This vulnerability was reported to MSRC.
* *February 2015*: This vulnerability was addressed by Microsoft in
MS15-009.
* *November 2016*: Details of this issue are released.

Cheers,

SkyLined
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFeg3+kBEACfJ83XEx+3CXfc2pyDlZ5+DFSvhdvbSvemqEckOtrQxTYOmH/8
6WrX2B7K6eyolLCIQMi0FjXK5hjJJFYTMrhoa7pP9V9PD2f4TI+tZv+g0D8wDVam
wYsZrFB6NwzyUaBykjj4chYxxzUxTwagwCxvrGNY871tiVWV5eR3TrKRcsFwzN53
G3lhAT974YRCIBMuA6y+3Jrd8hgfODWUtYsH4WPhaLJRr9qaatN+Fnpk+rb9X62C
EqcVXhgNeIz1j/K3I3XoHqMThNu5zbv7uQrp2j+/0fZjKXxZ7HZhTKzIFTrJkrTA
jQ34iq0qgXmLltpKtOLJKhPQPb8J/N0MxOOTa34BDeSiqwlcRzkl7lYTIl7hvvCn
lSRbu+PoAW0GrD17RAA9FQoqdDDiNLHlXnjx7Jg/Tchq1EF70hKzMojcwyjPilty
HJRtPq/sZEdjwEuA5fM+3cmkmRWZYXmn93rB2KTNlGXo+7II6eXx1E6iw7MBzhV5
+mB9A/6FLPhb6TY7TrWOKC65uEtYjHArcb2WeB7/6g9r0nPcBzFiXt35U+YdbmiH
Qt4L5aivYI3WNwQh391Q8QH8i1C0DTI0TCoinzBHzySJfiQ5IP8BUmPIKJWxSeiF
Od5Fv3bz7S7DihtP+i7XyChoHVAleu9tk4/kIQlJ/PPbBpRAYFhQKwSX3QARAQAB
tCRCZXJlbmQtSmFuIFdldmVyIDxiZXJlbmRqQG53ZXZlci5ubD6JAj8EEwEIACkF
Aleg3+kCGw8FCQIDCbcHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCdHa2I
JVfFqn6TD/0aQmgvFcwoAOn52NujoEgl5LxdvcrPgDaZK10kuolsA2u/IaB4J3yY
c2Z8kTfGOg5ObCBHlq6B9qYn3ptr+C0ICuYENIVoHdcBgdK9JXscRWrOU8JI69mj
gmsKNLei+AuBGGC7LJOV6JNqYkVieukkFQkv17pvFl63GqNcVkwEXIzzeGOHYHqA
dvPR7xTZu+dA2olB2BVC9XsWJpsxJqzuX8L3wOEn1EFAhlbeSlBo2kXB04DnjUXU
qHa9M2PZ4q0xWmD+iAThTdyoB+FvSvn6+ThFhig99dOsx8ZLS/QRwMoq1qgN1Nst
YFZgCUuGqwR7d0Dr8/Vb1qzQmIPtn/JCjbFNuIssGRA3tDVwTvEmgfAhpVApuS8f
bNWGV2fQmEfLShqXOI/GfEYt8ltoozKKTYRiXt7oqsrLGWjXJ6SZAYcFHOCc9CbC
TukyDyndVIWAwJRSr9SHKyokElnJBeiGW9rMwITW4BRf7YfXNwHHOFW95esbNIEF
sL37BfzBoTNDUShajB8kVKJv0LE5OZArsQfz2yBXoU2AyvGEvbYdt0q53+FwGzX/
EtqkcFYqwKkxurjn8Nkk4x4hjoiUmXHj45G/MgwLxY8Skf6RvBr0eu4Mh7FxoTRP
LX5hIpGbCO3umoGbHNGkJcEw5S9oIQdb3ysf5HVLi7Pw6AIfJZWSfIkBHAQQAQgA
BgUCV6S2FwAKCRBf2KWWmuk+Yng/B/0f/nSDAnmXAiZ2HPi/ujfAEzFPWmahZJVv
Ih9DjuRUV6vk1B9Sh+yiPPZ3FfqOzVE0n6Eh1Kggs6MwQCWv+NfC0KE6rQwxjMce
+eOAf9dbVQ8h6H4yGyIyb4f0tJFRyGpOK8zlKwjvPj2gvTZFjcc1PaZ7cIeuwheB
Ijtw9DQWIoQoFFHZkLHxmNo8IT+r7lB19rVWoh1pu/zfuC+xjQLCpzexafFGY3TT
Fz7YdO14F61sJjrf++9twRi7RoHWGnAcFCZynG6x4jyog1u9iKMK2T2nV5yyQg21
yhw4zEV1pKDwUdHK+TwmtyD5c6oL3IjNDWaHn0aejKgfEiiLUBLe
=anIL
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYNBZwAAoJEJ0drYglV8WqJHMP+wSf/gBioJtzp5jw+wa4iNJq
vLf0ApsIqjQUoQi75r2OIan3e1G58aLEkrwC/SUgn1ubrV5eKSk93i4CNfpy1RrZ
6OzW04d8hXUorLNZxTF86BSlpJgm4qdP9KPGl7Eq8MVtnrHVmkseL+dJohJsXFpv
H4tpdodk52dy3vgOWToG1BSqB4fhWPyALVTeoJGPbzBez5Vjf1Ruo0svvFuQeCvF
erc9hJAhYW6KhnX+QKipobOnJDM3yuGmhZURwsjYsIs10AaXcymBQGmJZG/TUPc+
1OFCeZuKCfbrJzjSxzB54DjS7IAthqbd9J3s33Gd3KTkCZpG9ZyIMg6XKtbKnddM
T9blH9D1GUW5V8gjuJXgw3BjPvAsYHJh2+Ag3C0wvIh6jYmZwCbojLtZLqKhZOBe
V3sDW0TzxbzjXIX1qjUKosB3ARB32knOZtm74GaOX/PoGDXSCkpYYa4Nl1jayGst
rLx6oUR7Y2iA+LlDSOTv/KmEY9+Uwe8wIVqzzDFV8KGL79+mMJHqJyTl0elPsF6s
SalBSQokhcIfFojB+2OlzZSxNdXO9TMc4zpCd5Fx9lIOvw1sMb0sA31w+oOzKJP7
OFUd7qMpEoZ/clw8mNH993kVzZfWnsnE9a5ZcOwTWRveTsOudIjoNopxG5sk5h6Z
UPhK3r2gsGFIPM691zVZ
=qJ3g
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus