microsoft internet explorer 11 null pointer dereference

▸▸▸ Exploit & Vulnerability >>   local exploit & windows vulnerability




Online Vulnerability Scanner Tools
microsoft internet explorer 11 null pointer dereference Code Code... 
				
# Exloit Title: Microsoft Internet Explorer 11 - Null Pointer Difference
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-11-03
# Vendor: Microsoft Corporation
# Product web page: https://www.microsoft.com
# Affected version: 11.345.17134.0 (Update Versions: 11.0.90 (KB4462949))
#                   11.1387.15063.0 (Update Versions: 11.0.90 (KB4462949))
#                   11.0.9600.18282 (Update Versions: 11.0.30 (KB3148198))
#                   11.0.9600.17843 (Update Versions: 11.0.20 (KB3058515))
# Tested on: Microsoft Windows 10 (EN) (64bit)
#            Microsoft Windows 7 SP1 (EN) (32/64bit)
# Affected module: mshtml.dll
# Affected functions: Tree::Notify_InvalidateDisplay
#                     CTreeNode::EnsureNoDependentLayoutFixup
#                     CMarkup::BuildDescendentsList
# References:
# Advisory ID: ZSL-2018-5499
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5499.php

# Desc: The crash is caused due to a NULL pointer dereference access violation inside the
# 'Tree::Notify_InvalidateDisplay' function while parsing malformed DOM elements. The issue
# was discovered using the Domato fuzzer.

# Microsoft Internet Explorer 11 Tree::Notify_InvalidateDisplay Null Pointer Dereference
# PoC: https://www.zeroscience.mk/codes/msie11_nullptr_fuzz-33.html.rar

# Trace:
################################################################################################

(e9c.142c): Access violation - code c0000005 (!!! second chance !!!)
eax=21b9efa0 ebx=21b9efac ecx=21b9efa0 edx=00000000 esi=00000000 edi=187a8fc4
eip=63f04e48 esp=08c39ab8 ebp=08c39ac4 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
MSHTML!CTreeNode::EnsureNoDependentLayoutFixup+0x43:
63f04e48 f70600010000    test    dword ptr [esi],100h ds:002b:00000000=????????
0:007> k
 # ChildEBP RetAddr  
00 08c39ac4 63a52ddf MSHTML!CTreeNode::EnsureNoDependentLayoutFixup+0x43
01 08c39bd0 63a523c5 MSHTML!CMarkup::InsertElementInternalNoInclusions+0x1f3
02 08c39bf8 63a529d3 MSHTML!CMarkup::InsertElementInternal+0x3d
03 08c39c38 63a52a54 MSHTML!CDoc::InsertElement+0x9b
04 08c39cf8 63a3ca96 MSHTML!InsertDOMNodeHelper+0x154
05 08c39db8 63a3cc73 MSHTML!CElement::InsertBeforeHelper+0x22b
06 08c39ddc 63a3cff3 MSHTML!CElement::InsertBefore+0x2f
07 08c39e70 63a3cf06 MSHTML!CElement::Var_appendChild+0xb3
08 08c39ea0 6de5e6ee MSHTML!CFastDOM::CNode::Trampoline_appendChild+0x75
09 08c39f08 6de582cd jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x101
0a 08c39f50 6df0833d jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
0b 08c39f74 6dffc483 jscript9!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutCallI> >+0x53
0c 08c39fa0 6dffc45c jscript9!Js::InterpreterStackFrame::OP_ProfileReturnTypeCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutCallI> >+0x1c
0d 08c39fc0 6dffc428 jscript9!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallI<Js::OpLayoutCallI>+0x2a
0e 08c3a1b0 6dee5371 jscript9!Js::InterpreterStackFrame::Process+0x4e90
0f 08c3a1e8 6dee53d0 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49
10 08c3a3d8 6de5c96b jscript9!Js::InterpreterStackFrame::Process+0x39dc
11 08c3bde4 0d8c0fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1ce
WARNING: Frame IP not in any known module. Following frames may be wrong.
12 08c3bdf0 6de5c22d 0xd8c0fd9
13 08c3bfe8 6de5c96b jscript9!Js::InterpreterStackFrame::Process+0x1940
14 08c3c104 0d8c0fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1ce
15 08c3c110 6de582cd 0xd8c0fe1
16 08c3c158 6de58a05 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
17 08c3c1cc 6de5893f jscript9!Js::JavascriptFunction::CallRootFunction+0xc1
18 08c3c214 6de588bf jscript9!ScriptSite::CallRootFunction+0x42
19 08c3c244 6de5d0f0 jscript9!ScriptSite::Execute+0x61
1a 08c3c2a0 6de5d02c jscript9!ScriptEngineBase::ExecuteInternal<0>+0xbb
1b 08c3c2b8 63a362a4 jscript9!ScriptEngineBase::Execute+0x1c
1c 08c3c374 63a3613e MSHTML!CListenerDispatch::InvokeVar+0x15a
1d 08c3c3a0 63a35e01 MSHTML!CListenerDispatch::Invoke+0x6d
1e 08c3c440 6398e7d2 MSHTML!CEventMgr::_InvokeListeners+0x1fe
1f 08c3c5b4 639d2863 MSHTML!CEventMgr::Dispatch+0x3bb
20 08c3c5dc 63eadc91 MSHTML!CEventMgr::DispatchEvent+0x90
21 08c3c5f0 63e94da9 MSHTML!CSVGElement::Fire_SVGLoad+0x46
22 08c3c608 63eadc43 MSHTML!CSVGSVGElement::Fire_SVGLoad+0x19
23 08c3c620 63dafdc1 MSHTML!CSVGElement::Fire_SVGLoad_Async_Handler+0x23
24 08c3c64c 6398f25c MSHTML!CAsyncEventQueue::DispatchAllEvents+0x41c3ea
25 08c3c6a0 771462fa MSHTML!GlobalWndProc+0x2d3
26 08c3c7bc 00a3ee48 user32!InternalCallWinProc+0x23
27 08c3c7c0 076bafe0 0xa3ee48
28 08c3c7c4 00000000 0x76bafe0


################################################################################################

(15e4.1634): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=22a98fa0 ecx=00000061 edx=000000c1 esi=22a96fac edi=0969c384
eip=63916681 esp=0969c1d8 ebp=0969c200 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!CMarkup::BuildDescendentsList+0x158:
63916681 81b828030000609ffd63 cmp dword ptr [eax+328h],offset MSHTML!__vtguard (63fd9f60) ds:002b:00000328=????????
0:008> k
 # ChildEBP RetAddr  
00 0969c200 6384f86d MSHTML!CMarkup::BuildDescendentsList+0x158
01 0969c350 639b1597 MSHTML!CMarkup::Notify+0x17b
02 0969c3b8 639b1431 MSHTML!CMarkup::OnLoadStatusDone+0x14b
03 0969c3cc 639b078b MSHTML!CMarkup::OnLoadStatus+0xfa
04 0969c810 639aa322 MSHTML!CProgSink::DoUpdate+0x4c7
05 0969c81c 6382e541 MSHTML!CProgSink::OnMethodCall+0x12
06 0969c868 6382de4a MSHTML!GlobalWndOnMethodCall+0x16d
07 0969c8b8 771462fa MSHTML!GlobalWndProc+0x2e5
08 0969c8e4 77146d3a user32!InternalCallWinProc+0x23
09 0969c95c 771477c4 user32!UserCallWinProcCheckWow+0x109
0a 0969c9bc 7714788a user32!DispatchMessageWorker+0x3b5
0b 0969c9cc 6ce3f7c8 user32!DispatchMessageW+0xf
0c 0969fb98 6cf8f738 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
0d 0969fc58 7732e61c IEFRAME!LCIETab_ThreadProc+0x37b
0e 0969fc70 72f93991 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
0f 0969fca8 764b336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
10 0969fcb4 778a9902 kernel32!BaseThreadInitThunk+0xe
11 0969fcf4 778a98d5 ntdll!__RtlUserThreadStart+0x70
12 0969fd0c 00000000 ntdll!_RtlUserThreadStart+0x1b

################################################################################################

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_READ_AVRF_c0000005_MSHTML.dll!Tree::Notify_InvalidateDisplay
BUCKET_ID:  APPLICATION_FAULT_NULL_CLASS_PTR_READ_INVALID_POINTER_READ_AFTER_CALL_AVRF_MSHTML!Tree::Notify_InvalidateDisplay+19
FAILURE_EXCEPTION_CODE:  c0000005
FAILURE_IMAGE_NAME:  MSHTML.dll

--

(d98.d24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
MSHTML!Tree::Notify_InvalidateDisplay+0x1f:
555ae81a 81b81804000080380100 cmp dword ptr [eax+418h],13880h ds:002b:00000418=????????
1:022:x86> r
eax=00000000 ebx=204d6b40 ecx=10ba9500 edx=00000001 esi=204d6b40 edi=10ba9500
eip=555ae81a esp=0535d3f8 ebp=0535d454 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!Tree::Notify_InvalidateDisplay+0x1f:
555ae81a 81b81804000080380100 cmp dword ptr [eax+418h],13880h ds:002b:00000418=????????
1:022:x86> kb
 # ChildEBP RetAddr  Args to Child              
00 0535d400 55d882b4 00000000 19540000 148ca2d0 MSHTML!Tree::Notify_InvalidateDisplay+0x1f
01 0535d454 55d547e9 148ca2a0 0535d4c8 204c7770 MSHTML!Tree::Notify_TextRangeHighlighted+0x140
02 0535d4ac 55d55337 204c7770 204c7720 00000000 MSHTML!CSelectionRenderingServiceProvider::InvalidateSegment+0x148
03 0535d4ec 5582e569 148ca270 00000001 19070980 MSHTML!CSelectionRenderingServiceProvider::PrivateClearSegment+0x106
04 0535d504 556a24db 049c8000 148ca270 00000200 MSHTML!CDoc::RemoveSegment+0x39
05 0535d52c 5529fe11 0535d55c 5529fdd0 11ef40b0 MSHTML!CSelTrackServices::ClearSelection+0x401d83
06 0535d548 555e656d 00000000 00000001 00000001 MSHTML!CSelectTracker::BecomeDormant+0x41
07 0535d568 555f8288 00000000 00000001 00000001 MSHTML!CSelectionManager::HibernateTracker+0x2b
08 0535d590 55f054b1 00000000 00000001 0000000c MSHTML!CSelectionManager::EnsureDefaultTrackerPassive+0x51
09 0535d5c8 557f8eda 0535d630 555e9c37 00000000 MSHTML!CSelectionManager::DoPendingElementExit+0x429
0a 0535d5d0 555e9c37 00000000 5555c8fa 00000000 MSHTML!CSelectionManager::DoPendingTasks+0x20f28e
0b 0535d5d8 5555c8fa 00000000 1b034680 00000000 MSHTML!CSelectionManager::EnsureEditContext+0x20
0c 0535d630 5555c80e 0000000c 00000000 00000000 MSHTML!CSelectionManager::Notify+0x7c
0d 0535d654 5555c7a5 1b034680 0000000c 00000000 MSHTML!CHTMLEditor::Notify+0x51
0e 0535d670 5555c5fd 1b034680 0000000c 00000000 MSHTML!CHTMLEditorProxy::Notify+0x35
0f 0535d698 555e7edb 0000000c 00000000 00000000 MSHTML!CDoc::NotifySelection+0x4f
10 0535d92c 555e5c91 00000000 555e5c50 555e5c50 MSHTML!CCaret::UpdateScreenCaret+0xbe
11 0535d940 555baffb 10b7d8f0 049c8000 0000011f MSHTML!CCaret::DeferredUpdateCaret+0x41
12 0535d9bc 555bb394 d836afd1 00008002 00000000 MSHTML!GlobalWndOnMethodCall+0x21b
13 0535da08 75a9be6b 00190984 00008002 00000000 MSHTML!GlobalWndProc+0xe4
14 0535da34 75a9833a 555bb2b0 00190984 00008002 USER32!_InternalCallWinProc+0x2b
15 0535db1c 75a97bee 555bb2b0 00000000 00008002 USER32!UserCallWinProcCheckWow+0x3aa
16 0535db98 75a979d0 b9836150 0535fd34 5643485f USER32!DispatchMessageWorker+0x20e
17 0535dba4 5643485f 0535dbe0 00e4b470 008ff230 USER32!DispatchMessageW+0x10
18 0535fd34 56433e60 0535fe00 56433a50 00e433e8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x46f
19 0535fdf4 5bdcb61c 00e4b470 0535fe18 56488ce0 IEFRAME!LCIETab_ThreadProc+0x410
1a 0535fe0c 5bd6e6cd 00e433e8 5bd6e640 5bd6e640 msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c
1b 0535fe44 77648484 0089c570 77648460 f7de4b1c IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d
1c 0535fe58 77a7305a 0089c570 005c205f 00000000 KERNEL32!BaseThreadInitThunk+0x24
1d 0535fea0 77a7302a ffffffff 77a8ec8b 00000000 ntdll_77a10000!__RtlUserThreadStart+0x2f
1e 0535feb0 00000000 5bd6e640 0089c570 00000000 ntdll_77a10000!_RtlUserThreadStart+0x1b
1:022:x86> .exr -1
ExceptionAddress: 555ae81a (MSHTML!Tree::Notify_InvalidateDisplay+0x0000001f)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000418
Attempt to read from address 00000418
1:022:x86> ub
MSHTML!Tree::Notify_InvalidateDisplay+0x7:
555ae802 f7460800001000  test    dword ptr [esi+8],100000h
555ae809 756e            jne     MSHTML!Tree::Notify_InvalidateDisplay+0x7e (555ae879)
555ae80b 8bc6            mov     eax,esi
555ae80d 8b38            mov     edi,dword ptr [eax]
555ae80f 85ff            test    edi,edi
555ae811 7462            je      MSHTML!Tree::Notify_InvalidateDisplay+0x7a (555ae875)
555ae813 8bcf            mov     ecx,edi
555ae815 e8b664d5ff      call    MSHTML!CElement::GetMarkupPtr (55304cd0)
1:022:x86> 
MSHTML!TSmartPointer<CFilterNativeInfo>::operator&+0x12:
555ae7f3 50              push    eax
555ae7f4 e8a7f9c6ff      call    MSHTML!CFilterNativeInfo::Release (5521e1a0)
555ae7f9 ebf4            jmp     MSHTML!TSmartPointer<CFilterNativeInfo>::operator&+0xe (555ae7ef)
MSHTML!Tree::Notify_InvalidateDisplay:
555ae7fb 8bff            mov     edi,edi
555ae7fd 53              push    ebx
555ae7fe 56              push    esi
555ae7ff 8bf1            mov     esi,ecx
555ae801 57              push    edi

Microsoft internet explorer 11 null pointer dereference Vulnerability / Exploit Source : Microsoft internet explorer 11 null pointer dereference



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.