Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Internet Explorer Script Action Handlers (mshtml.dll) Buffer Overfl

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Internet Explorer Script Action Handlers (mshtml.dll) Buffer Overflow
Date: 20 Mar 2006 12:43:47 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Internet Explorer Script Action Handlers (mshtml.dll) Buffer Overflow
------------------------------------------------------------------------


SUMMARY

mshtml.dll is a module containing HTML-related utility functions.

By crafting specially crafted html, attackers can cause a buffer overflow 
with mshtml.dll and execute arbitrary code.

DETAILS

Vulnerable Systems:
 * MS Internet Explorer mshtml 6.0.2

This vulnerability can be triggered by specifying more than a couple 
thousand script action handlers (such as onLoad, onMouseMove, etc) for any 
single HTML tag. Due to a programming error, Internet Explorer will then 
attempt to write memory array out of bounds, at an offset corresponding to 
the ID of
the script action handler multiplied by 4 (due to 32-bit address clipping, 
the result is a small positive integer).

The list of IDs can be found on the Web, and is as follows (values in 
parentheses = resulting offsets):
  onhelp = 0x8001177d (+0x45df4)
  onclick = 0x80011778 (+0x45de0)
  ondblclick = 0x80011779 (+0x45de4)
  onkeyup = 0x80011776 (+0x45dd8)
  onkeydown = 0x80011775 (+0x45dd4)
  onkeypress = 0x80011777 (+0x45ddc)
  onmouseup = 0x80011773 (+0x45dcc)
  onmousedown = 0x80011772 (+0x45dc8)
  onmousemove = 0x80011774 (+0x45dd0)
  onmouseout = 0x80011771 (+0x45dc4)
  onmouseover = 0x80011770 (+0x45dc0)
  onreadystatechange = 0x80011789 (+0x45e24)
  onafterupdate = 0x80011786 (+0x45e18)
  onrowexit = 0x80011782 (+0x45e08)
  onrowenter = 0x80011783 (+0x45e0c)
  ondragstart = 0x80011793 (+0x45e4c)
  onselectstart = 0x80011795 (+0x45e54)

What happens next depends on the structure of the page in which the 
malicious tag is embedded, as well as previously visited page and 
previously initialized extensions (all these factors can be controlled by 
the attacker).

When the offending page contains no additional elements, and the user is 
not redirected from elsewhere, the browser will typically crash 
immediately, because there is no allocated memory at the resulting offset.
In all other cases, crashes will typically occur later, due to attempted 
use of unrelated but corrupted in-memory buffers -for example, when the 
user attempts to leave or reload the page. Another good example is coming 
from a page that contains Macromedia Flash - this usually causes the Flash 
plugin itself to choke on corrupted memory on cleanup.

Proof of Concept:
Note: It may crash your Browser  <http://lcamtuf.coredump.cx/iedie.html> 
http://lcamtuf.coredump.cx/iedie.html


ADDITIONAL INFORMATION

The information has been provided by  <mailto:lcamtuf@dione.ids.pl> Michal 
Zalewski.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Internet Explorer Script Action Handlers (mshtml.dll) Buffer Overflow, SecuriTeam <=
Previous by Date:  [REVS] Detecting the Presence of Virtual Machines Using the Local Data Table, SecuriTeam
Next by Date:  [NT] Microsoft Excel Stack Overflow (MS06-012), SecuriTeam
Previous by Thread:  [REVS] Detecting the Presence of Virtual Machines Using the Local Data Table, SecuriTeam
Next by Thread:  [NT] Microsoft Excel Stack Overflow (MS06-012), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]