Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution
Computer Terrorism (UK) :: Incident Response Centre
======================================
Security Advisory :: CT22-03-2006
-------------------------------------------
Title: Microsoft Internet Explorer (mshtml.dll) - Remote Code
Execution
Organisation: Computer Terrorism (UK)
Web: www.computerterrorism.com
Advisory Date: 22nd March, 2006
Affected Software: Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity: Critical
Impact: Remote System Access
Solution Status: ** UNPATCHED **
Overview:
-------------
Pursuant to the publication of the aforementioned bug/vulnerability, this
document serves as a preliminary Security Advisory for users of Microsoft
Internet Explorer version 6 and 7 Beta 2.
Successful exploitation will allow a remote attacker to execute arbitrary code
against a fully patched Windows XP system, yielding system access with
privileges of the underlying user.
Technical Narrative:
-------------------------
As per the publication, the bug originates from the use of a createTextRange()
method, which, under certain circumstances, can lead to an invalid/corrupt
table pointer dereference.
As a result, IE encounters an exception when trying to call a deferenced 32bit
address, as highlighted by the following sniplet of code.
0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
..
0x7D53C166 CALL DWORD PTR [ECX]
Due to the incorrect reference, ECX points to a very remote, non-existent
memory location, causing IE to crash (DoS). However, although the location is
some what distant, history dictates that a condition of this nature is
conducive towards reliable exploitation.
Proof of Concept:
-----------------------
Computer Terrorism (UK) can confirm the production of reliable proof of concept
(PoC) for this vulnerability (tested on Windows XP SP2). However, until a patch
is developed, we will NOT be publicly disclosing our research.
Temporary Solution:
-------------------------
Users are advised to disable active scripting for non-trusted sites until a
patch is released.
Vendor Status:
--------------------
The Vendor has been informed of all aspects of this new vulnerability
(including PoC), but as of the date of the document, this vulnerability is
UNPATCHED.