Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: v7-2209.htm

DoS vuln in M$ IE 6 SP2 #3



DoS Vulnerability in M$ IE 6 SP2 #3
DoS Vulnerability in M$ IE 6 SP2 #3



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ---------------------------------------------------
| BuHa Security-Advisory #6     |    Dec 24th, 2005 |
 ---------------------------------------------------
| Vendor   | M$ Internet Explorer 6.0               |
| URL | http://www.microsoft.com/windows/ie/ | 
| Version  | <= 6.0.2900.2180.xpsp_sp2              |
| Risk     | Low (DoS - Null Pointer Dereference)   |
 ---------------------------------------------------
 
o Description:
============
Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. 

o Denial of Service: #7d6d8eba
==================
Following HTML code forces M$ IE 6 to crash:
> 
  • Online-demo: http://morph3us.org/security/pen-testing/msie/ie60-1132900617750-7d6d8eba.html These are the register values and the ASM dump at the time of the access violation: eax=00000000 ebx=01295390 ecx=00000000 edx=00000000 esi=0012d230 edi=01290720 eip=7d6d8eba esp=0012cd08 ebp=00000000 cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 7d6d8e84 894c2414 mov [esp+0x14],ecx 7d6d8e88 8b8ea4000000 mov ecx,[esi+0xa4] 7d6d8e8e 24fe and al,0xfe 7d6d8e90 57 push edi 7d6d8e91 89542410 mov [esp+0x10],edx 7d6d8e95 8954241c mov [esp+0x1c],edx 7d6d8e99 88442420 mov [esp+0x20],al 7d6d8e9d e89912e5ff call mshtml+0x7a13b (7d52a13b) 7d6d8ea2 8b4c2428 mov ecx,[esp+0x28] 7d6d8ea6 68b2a06e7d push 0x7d6ea0b2 7d6d8eab 8bf8 mov edi,eax 7d6d8ead e89bb7e5ff call mshtml+0x8464d (7d53464d) 7d6d8eb2 50 push eax 7d6d8eb3 8bcf mov ecx,edi 7d6d8eb5 e8dfebfdff call mshtml+0x207a99 (7d6b7a99) FAULT ->7d6d8eba 668b500c mov dx,[eax+0xc] ds:0023:0000000c=???? 7d6d8ebe 6685d2 test dx,dx 7d6d8ec1 7c39 jl mshtml+0x228efc (7d6d8efc) 7d6d8ec3 833d50e3747d01 cmp dword ptr [mshtml+0x29e350 (7d74e350)],0x1 7d6d8eca 0fbffa movsx edi,dx 7d6d8ecd 7513 jnz mshtml+0x228ee2 (7d6d8ee2) 7d6d8ecf a14ce3747d mov eax,[mshtml+0x29e34c (7d74e34c)] 7d6d8ed4 8b484c mov ecx,[eax+0x4c] 7d6d8ed7 8b4134 mov eax,[ecx+0x34] 7d6d8eda 8d147f lea edx,[edi+edi*2] 7d6d8edd 8b3c90 mov edi,[eax+edx*4] 7d6d8ee0 eb23 jmp mshtml+0x228f05 (7d6d8f05) The access violation results in a null pointer dereference and is not exploitable. o Vulnerable versions: ==================== The DoS vulnerability was successfully tested on: > M$ IE 6 SP2 - Win XP Pro SP2 > M$ IE 6 - Win 2k SP4 o Disclosure Timeline: ==================== 26 Nov 05 - DoS vulnerability discovered. 15 Dec 05 - Vendor contacted. 17 Dec 05 - Vendor confirmed vulnerability. 24 Dec 05 - Public release. o Solution: ========= There is no patch yet. The vulnerability will be fixed in an upcoming service pack according to the Microsoft Security Response Center. o Credits: ======== Christian Deneke - -- Thomas Waldegger BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@morph3us.org' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at morph3us.org to contact me. Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-3.txt -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFDrdu6kCo6/ctnOpYRAs1cAKCOabmBR3EtFBoMz/wKinVVpU/q/ACeK2kG A4pamspAa8+NY9TDiCz738s=Wga9 -----END PGP SIGNATURE-----


    TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
    Site design & layout copyright © 1986-2014 AOH