MoBB #30: Orphan Object Properties
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug was discovered by Aviv Raff while working on a new browser fuzzing tool. It is possible to trigger a NULL dereference by accessing the property of an object that is inside a deleted frame.
Please see the demo source code for an example.
Demonstration
eax=00000000 ebx=01ba7180 ecx=00000000
edx=7dc95b90 esi=00000000 edi=00000000
eip=7dc9d8ba esp=0013dc98 ebp=0013dccc
mshtml!CMarkup::EnsureTopElems+0xc:
7dc9d8ba 8b7744 mov esi,dword ptr [edi+44h] ds:0023:00000044=????????
This bug will be added to the OSVDB:
Microsoft IE Orphan Object Property Access NULL Dereference
posted by hdm @ 11:23 PM
1 comments
links to this post
1 Comments:
Greets HDM, I hope this is not the second last bug as the its already 30th. Will August continue to see one bug per day :)
Post a Comment
Links to this post:
Create a Link
<< Home