lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 12 Mar 2016 00:02:01 +0100
From: Berend-Jan Wever <berendjanwever@...il.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] Microsoft Edge CDOMTextNode::get_data type confusion

Hey,

Last Tuesday, Microsoft fixed a security issue in Microsoft Edge that I
was aware of, but had not had time to report. (i.e. I was waiting for
vulnerability contributor programs to look over my analysis and make me
an offer for the information). Since this issue has been fixed, I have
published my analysis on my blog
<http://blog.skylined.nl/20160310001.html><my%20blog>.

In short: Specially crafted Javascript inside an HTML page can trigger a
type confusion bug in Microsoft Edge that allows accessing a C++ object
as if it was a BSTR string. This can result in information disclosure,
such as allowing an attacker to determine the value of pointers to other
objects and/or functions. This information can be used to bypass ASLR
mitigations. It may also be possible to modify arbitrary memory and
achieve remote code execution, but this was not
investigated.

Cheers,

SkyLined

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ