Internet Explorer remotely exploitable vulnerability in JScript's document.write() method

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Internet Explorer remotely exploitable vulnerability in JScript's document.write() method
From: porkythepig@xxxxxxxx
Date: 31 Jan 2006 18:15:30 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

There is a remotely exploitable vulnerability in the Internet Explorer in the 
JScripting/Flash plugin section.

The problem lies in bad scripting of document.write() method being executed 
trough VBscript procedure triggered from ActionScript code within the crafted 
flash animation.
While exiting the IExplorer's jscript.dll call it causes a null pointer 
assignment in IE leading to the memory access violation and browser crash.

The following configurations has been tested and found vulnerable:
Windows 2000 sp4 with all MS patches
Windows XP sp2
Windows XP64
Windows 98 SE

An example DoS exploit exists at:
http://www.anspi.pl/~porkythepig/iedown.html
and also by clicking the right bottom at:
http://www.anspi.pl/~porkythepig/index.html

Remote code execution possibility hasn't been verified yet , but it still may 
exist.

Vulnerability found and DoS exploit built by: porkythepig

contact: porkythepig@xxxxxxxx

Prev by Date: CyberShop Ultimate E-commerce Script Cross Site Scripting
Next by Date: LoudBlog <= 0.4 arbitrary remote inclusion
Previous by thread: CyberShop Ultimate E-commerce Script Cross Site Scripting
Next by thread: Re: Internet Explorer remotely exploitable vulnerability in JScript's document.write() method
Index(es):
- Date
- Thread