Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution
From: advisories@xxxxxxxxxxxxxxxxxxxxx
Date: 22 Mar 2006 16:19:54 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Computer Terrorism  (UK) :: Incident Response Centre
======================================


Security Advisory :: CT22-03-2006
-------------------------------------------


Title:                  Microsoft Internet Explorer (mshtml.dll) - Remote Code 
Execution

Organisation:           Computer Terrorism (UK)
Web:                    www.computerterrorism.com
Advisory Date:          22nd March, 2006


Affected Software:              Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity:                       Critical
Impact:                 Remote System Access
Solution Status:                ** UNPATCHED **


Overview:
-------------
 
Pursuant to the publication of the aforementioned bug/vulnerability, this 
document serves as a preliminary Security Advisory for users of Microsoft 
Internet Explorer version 6 and 7 Beta 2.

Successful exploitation will allow a remote attacker to execute arbitrary code 
against a fully patched Windows XP system, yielding system access with 
privileges of the underlying user.

 

Technical Narrative:
-------------------------
 
As per the publication, the bug originates from the use of a createTextRange() 
method, which, under certain circumstances, can lead to an invalid/corrupt 
table pointer dereference. 
 
As a result, IE encounters an exception when trying to call a deferenced 32bit 
address, as highlighted by the following sniplet of code.
 
0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
..
0x7D53C166 CALL DWORD PTR [ECX]
 
Due to the incorrect reference, ECX points to a very remote, non-existent 
memory location, causing IE to crash (DoS). However, although the location is 
some what distant, history dictates that a condition of this nature is 
conducive towards reliable exploitation.
 
 
Proof of Concept:
-----------------------
 
Computer Terrorism (UK) can confirm the production of reliable proof of concept 
(PoC) for this vulnerability (tested on Windows XP SP2). However, until a patch 
is developed, we will NOT be publicly disclosing our research.



Temporary Solution:
-------------------------
 
Users are advised to disable active scripting for non-trusted sites until a 
patch is released.
 

Vendor Status:
--------------------
 
The Vendor has been informed of all aspects of this new vulnerability 
(including PoC), but as of the date of the document, this vulnerability is 
UNPATCHED.

Prev by Date: [SECURITY] [DSA 1017-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
Next by Date: iDefense Security Advisory 03.23.05: ISS Multiple Products Local Privilege Escalation Vulnerability
Previous by thread: [SECURITY] [DSA 1017-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
Next by thread: iDefense Security Advisory 03.23.05: ISS Multiple Products Local Privilege Escalation Vulnerability
Index(es):
- Date
- Thread