-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #4 | Dec 24th, 2005 | --------------------------------------------------- | Vendor | M$ Internet Explorer 6.0 | | URL | http://www.microsoft.com/windows/ie/ | | Version | <= 6.0.2900.2180.xpsp_sp2 | | Risk | Low (DoS - Null Pointer Dereference) | --------------------------------------------------- o Description: ============= Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser made by Microsoft and currently available as part of Microsoft Windows. Visit http://www.microsoft.com/windows/ie/default.mspx or http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. o Denial of Service: #7d663471 =================== Following HTML code forces M$ IE 6 to crash: > Online-demo: http://morph3us.org/security/pen-testing/msie/ie60-1128216821765-7d663471.html These are the register values and the ASM dump at the time of the access violation: eax=00000000 ebx=01293b38 ecx=01293b20 edx=7d74ede0 esi=01293b20 edi=00000000 eip=7d663471 esp=0012e89c ebp=0012e89c cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 7d663469 8bff mov edi,edi 7d66346b 55 push ebp 7d66346c 8bec mov ebp,esp 7d66346e 8b4110 mov eax,[ecx+0x10] FAULT ->7d663471 66833823 cmp word ptr [eax],0x23 ds:0023:00000000=???? 7d663475 7405 jz mshtml+0x1b347c (7d66347c) 7d663477 33c0 xor eax,eax 7d663479 40 inc eax 7d66347a eb1e jmp mshtml+0x1b349a (7d66349a) 7d66347c ff7508 push dword ptr [ebp+0x8] 7d66347f 8b09 mov ecx,[ecx] 7d663481 83c002 add eax,0x2 7d663484 50 push eax 7d663485 e8466cebff call mshtml+0x6a0d0 (7d51a0d0) 7d66348a 8bc8 mov ecx,eax 7d66348c e8ad44fbff call mshtml!CreateHTMLPropertyPage+0x2432c (7d61793e) 7d663491 33c9 xor ecx,ecx 7d663493 85c0 test eax,eax 7d663495 0f9cc1 setl cl 7d663498 8bc1 mov eax,ecx 7d66349a 5d pop ebp 7d66349b c20400 ret 0x4 The access violation results in a null pointer dereference and is not exploitable. M$ IE parses the attribute value of 'datasrc' ("[n].[m]") in the following way: * Split the attribute value in two parts * Compare the first char of [n] with 0x23 ('#') The reason for the crash is that the 0 byte long [n] (no memory is allocated for this string) is used without any validation. For example: > char *t = NULL; > > if(t[0] = 0x23) o Vulnerable versions: ===================== The DoS vulnerability was successfully tested on: > M$ IE 6.0 - Windoze XP Pro SP2 > M$ IE 6.0 - Windoze 2k SP4 > M$ IE 5.5 - Windoze XP Pro SP2 > M$ IE 5.01 - Windoze XP Pro SP2 o Disclosure Timeline: ===================== 10 Oct 05 - DoS vulnerability discovered. 15 Dec 05 - Vendor contacted. 17 Dec 05 - Vendor confirmed vulnerability. 24 Dec 05 - Public release. o Solution: ========== There is no patch yet. The vulnerability will be fixed in an upcoming service pack according to the Microsoft Security Response Center. o Credits: ========= Christian Deneke - - -- Thomas Waldegger BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@morph3us.org' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-1.txt -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFD9YIEkCo6/ctnOpYRA4+wAJ41P1ZD246nfbZVrv5Ap1VlAPMnpACgs5rW 0j9YkBh7RcpySi/ZT+muO3A= =O1f8 -----END PGP SIGNATURE-----