Internet Explorer 6 componentFromPoint() remote memory disclosure and remote code execution
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Internet Explorer 6 componentFromPoint() remote memory disclosure and remote code execution
- From: "Ivan Fratric" <ifsecure@xxxxxxxxx>
- Date: Wed, 15 Oct 2008 15:42:42 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=aLOV9OjE8hBvZf1Cz185rAn4jaZYnxgecm8OpA2t4D4=; b=AHorXhphhFRBRjYy4wyrMgpl686AcejDJjSjLKraJ79obIbk6onik4hj6WwbCQkCy3 HLx9Byg+ciW/nZhlcrNAzLFbZeJtRSFo6PJAsGvqHIHhhp8eABj2BaBqh+xhEAbO4M5U KV5MITZHOmjiRp7xedlPrX/xUXx0/sT9oS/Sg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=rNHo7zAShE9/Hyp4fT17Fxz+ZGqOtM96SmZItBxP4qOmyo9KQuLHex+3vHHbTAXqcJ uLxv/ZdeB6IinHB9ylw/1yhkVOZZ2nsnphzuFrQk7r+QpnEJ7y1I4ehhUkogG6xmReW0 QaYVIEJ/ShXEUbVa75hSilztP3cQkpoA65YAY=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
There is a bug in Internet Explorer 6 JavaScript implementation
enabling remote memory disclosure and remote code execution. The
vulnerability is caused by improper implementation of
componentFromPoint() method of xml object.
###################
#The vulnerability#
###################
The vulnerability is triggered by errornous behavior of
componentFromPoint() method when invoked on a newly created xml
object.
########
#Impact#
########
This vulnerability can be used (trivially) to remotely disclose
Internet Explorer's memory when a victim visits a specially crafted
web page or (less trivially) to achieve remote code execution when a
victim visits a specially crafted web page.
#####
#PoC#
#####
Due to the spread and the impact of the vulnerability, exploiting
details will be released at a later date, once everyone has had plenty
of time to patch.
############
#References#
############
http://ifsec.blogspot.com/2008/10/internet-explorer-6-componentfrompoint.html
http://www.zerodayinitiative.com/advisories/ZDI-08-069/
http://www.microsoft.com/technet/security/bulletin/MS08-058.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3475