Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability

from [0x80] Network Security [Permanent Link]
Subject: RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability
Date: Sun, 23 Apr 2006 20:40:23 -0700 
OH NOES!

Paul Nickerson doesn't approve.  Who the fuck is Paul Nickerson?  
Better yet who cares.




On Sun, 23 Apr 2006 17:34:02 -0700 Paul Nickerson 
<pvnick@gmail.com> wrote:

Confirmed on IE 7 beta 2 on Windows XP SP2

For the record, I don't approve of your disclosure practices, Mr. 
Zalewski,
but good work none-the-less.

Paul

-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of 
Ben Lambrey
Sent: Sunday, April 23, 2006 12:17 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag 
vulnerability

On Sunday 23 April 2006 01:30, Michal Zalewski wrote:

Perhaps not surprisingly, there appears to be a vulnerability in 



how

Microsoft Internet Explorer handles (or fails to handle) certain
combinations of nested OBJECT tags. This was tested with MSIE
6.0.2900.2180.xpsp.040806-1825 and mshtml.dll 6.00.2900.2873
xpsp_sp2_gdr.060322-1613.

At first sight, this vulnerability may offer a remote compromise 



vector,

although not necessarily a reliable one. The error is convoluted 



and

difficult to debug in absence of sources; as such, I cannot 

offer a

definitive attack scenario, nor rule out that my initial 

diagnosis will be

proved wrong [*]. As such, panic, but only slightly.

Probably the easiest way to trigger the problem is as follows:

  perl -e '{print "<STYLE></STYLE>\n<OBJECT>\nBork\n"x32}' 
test.html

...this will (usually) cause a NULL pointer + fixed offset 

(eax+0x28)

dereference in mshtml.dll, the pointer being read from allocated 



but still

zeroed memory region.

The aforementioned condition is not exploitable, but padding the 



page with

preceeding OBJECT tag (and other tags), increasing the number of 



nested

OBJECTs, and most importantly, adding bogus 'type=' parameters 

of various

length to the final sequence of OBJECTs, will cause that 

dereference to

become non-NULL on many installations; then, a range of other 

interesting

faults should ensue, including dereferences of variable bogus 

addresses

close to stack, or crashes later on, when the page is reloaded 

or closed.


[ In absence of sources, I do not understand the precise 

underlying

  mechanics of the bug, and I am not inclined to spend hours 

with a

  debugger to find out. I'm simply judging by the symptoms, but 

these

  seem to be indicative of an exploitable flaw. ]

Several examples of pages that cause distinct faults in my setup 



(your

mileage may and probably WILL vary; on three test machines, this 



worked as

described; on one, all examples behaved in non-exploitable 0x28 

way):


  http://lcamtuf.coredump.cx/iedie2-1.html (eax=0x0, instant 

dereference)

  http://lcamtuf.coredump.cx/iedie2-2.html (bogus esi on 

reload/leave)

  http://lcamtuf.coredump.cx/iedie2-3.html (page fault on 

browser close)

  http://lcamtuf.coredump.cx/iedie2-4.html (bogus esi on 

reload/leave)


Well, that's it. Feel free to research this further. This 

vulnerability,

as requested by customers, is released in strict observance of 

the Patch

Wednesday & Bug Saturday policy.


IE 6 on Windows 2003+SP1 also crashes.

IE version: 6.0.3790.1830
mshtml.dll version 6.0.3790.2666

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.4.5/322 - Release Date: 
4/22/2006


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.4.5/322 - Release Date: 
4/22/2006


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability, KF (lists)
Next by Date:  [Full-disclosure] [SECURITY] [DSA 1039-1] New blender packages fix several vulnerabilities, Martin Schulze
Previous by Thread:  RE: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability, Michal Zalewski
Next by Thread:  Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability, ipatches
Indexes:  [Date] [Thread] [Top] [All Lists]