[NT] Microsoft Internet Explorer ART File Heap Corruption
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 18 Jun 2006 16:53:43 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Internet Explorer ART File Heap Corruption
------------------------------------------------------------------------
SUMMARY
Remote exploitation of a heap corruption vulnerability in Microsoft
Internet Explorer allows attackers to execute arbitrary code.
DETAILS
Vulnerable Systems:
* Windows XP
* Windows XP SP1
* Windows XP SP2
* Windows 2003
* Windows 2003 SP1
* Windows 2000 SP4 when jgdw400.dll installed
Internet Explorer supports Johnson-Grace compressed images, or .art files.
Johnson-Grace developed this technology in 1991. In 1994, American Online
Inc. began using the technology and, in 1996, purchased the company to
secure rights to it. It is now licensed to Microsoft for usage in Internet
Explorer by way of the jgdw400.dll dynamically linked library, which is
copyrighted by AOL.
The vulnerability specifically exists due to improper parsing of a
malformed .art file during rendering. With a carefully crafted .art file,
it is possible to overwrite portions of the heap with static values from a
file independent table in memory. Although this typically would be
somewhat limiting from an exploitation standpoint, in this case an
attacker can utilize large images or JavaScript to fill the heap so that
these static values reliably point into controlled regions. Because there
are an abundance of function pointers on the heap that an attacker may
smash, heap integrity checks are not effective in preventing
exploitation.
Successful exploitation of this vulnerability allows attackers to execute
arbitrary code with the privileges of the currently logged-on user.
iDefense Labs analysis has shown that exploitation can be as reliable as
75 percent with the current exploitation method. Upon failed exploitation
attempts, the system may become slow or unresponsive due to the method
employed by the exploit to fill memory in order to facilitate an
exploitable memory state.
It should be noted that hardware data execution prevention (DEP) will
prevent exploitation from occurring by the iDefense Labs-maintained
exploit code. This is a result of the payload executing on the heap, which
is marked writable and thus not executable.
It should also be noted that the file does NOT need to have an .art
extension to be rendered by the vulnerable library. Any extension can be
used, provided the image is loaded via an IMG SRC tag in an HTML document
in Internet Explorer.
Workaround:
Remove the following dynamically linked libraries from:
C:\windows\system32\jgpl400.dll
C:\windows\system32\jgdw400.dll
C:\windows\system32\jgaw400.dll
C:\windows\system32\jgsd400.dll
C:\windows\system32\jgmd400.dll
C:\windows\system32\jgsh400.dll
This will effectively disable the viewing of all .ART files on the system.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-2378>
CAN-2006-2378
Disclosure Timeline:
02/07/2006 Initial vendor notification
02/07/2006 Initial vendor response
06/13/2006 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxxxxxxxx> iDEFENSE Labs.
The original article can be found at:
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=407>
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=407
The vendor advisory can be found at:
<http://www.securiteam.com/windowsntfocus/5NP0B15IUC.html>
http://www.securiteam.com/windowsntfocus/5NP0B15IUC.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL] MyBB domecode() PHP Code Execution
- Next by Date: [NEWS] Daylite Password Disclosure
- Previous by thread: [EXPL] MyBB domecode() PHP Code Execution
- Next by thread: [NEWS] Daylite Password Disclosure
- Index(es):
Relevant Pages
|
|
