exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CT21-11-2005.txt

CT21-11-2005.txt
Posted Nov 30, 2005
Authored by Benjamin Tobias Franz

This document serves as a reclassification advisory for the Microsoft Internet Explorer JavaScript Window() DoS vulnerability, originally reported on 31/05/2005. Contrary to popular belief, the aforementioned security issue is susceptible to remote arbitrary code execution, yielding full system access with the privileges of the underlying user.

tags | advisory, remote, denial of service, arbitrary, javascript, code execution
advisories | CVE-2005-1790
SHA-256 | 2a70181bd083f6d889bbc3c19896a4b44f70d1e8ca2d53355313efbe522d8d67

CT21-11-2005.txt

Change Mirror Download


Computer Terrorism (UK)
========================


Security Advisory (Reclassification) :: CT21-11-2005
-----------------------------------------------------


Title: Microsoft Internet Explorer JavaScript Window()
Vulnerability

Author: S. Pearson
Organisation: Computer Terrorism (UK)
Web: www.computerterrorism.com
Advisory Date: 21st November, 2005


Software: Microsoft Internet Explorer 5.5 & 6.x
Severity: Critical (Elevated from low)
Impact: Remote System Access
Solution Status: ** UNPATCHED **
CVE reference: CAN-2005-1790

Credits: Benjamin Tobias Franz (original bug)



Overview:
---------

This document serves as a *reclassification* advisory for the Microsoft
Internet
Explorer JavaScript Window() DoS vulnerability, originally reported on
31/05/2005.

Contrary to popular beliefs, the aforementioned security issue is
susceptible to remote
arbitrary code execution, yielding full system access with the
privileges of the
underlying user.



Technical Narrative:
--------------------

As well documented, the vulnerability is instigated by IE's failure to
correctly
initialise the JavaScript "Window()" function when used in conjunction
with a
<BODY onload> event. As a result, Internet Explorer encounters an
exception when
trying to call a dereferenced 32bit address located in ECX, as
highlighted by the
following line of code:

CALL DWORD [ECX+8]

Due to the bug, ECX is inadvertently populated by the Unicode
representation of a
text string named "OBJECT", or more specifically 0x006F005B. As offset
0x006F005B
points to an invalid (or non-existent) memory location, Internet
Explorer fails to
progress, and in turn the end user experiences an application crash
(DoS).

Therefore, as the bug does not yield control of any internal register
and/or points
to an offset of which we have no control, the original "low" risk
classification
clearly reflects the improbable scenario for remote code execution.


How improbable?


If we take a closer look at the vulnerability, we actually see that the
instruction
is trying to dereference an offset in the range of 0x00600000, which,
coincidently,
is reserved for the facilitation of all opened Window characteristics on
the desktop.

These structures vary in both length and content, but in the main, take
the form of
window titles, buttons, and any File/edit/View menus bars attributable
to a particular
Window session.

Consequently, it is feasible to assume that offset 0x006F005B could be
arrived at
through the invocation of several new Windows structures, for example
circa 12 new
web browsing sessions, which would increment 0x00600000 into 0x006F005B.

If this were possible, it would just leave the problem of trying to
identify a means
by which custom shellcode could be inserted via one of the Window
Elements, and
correctly aligned against the called [0x006F005B].

Accordingly, several methods were tested. By using a combination of
multiple open windows
(expanding the memory section), and legal techniques that allow the
modification of
certain Window elements (examples below), 3rd party code execution was
eventually
realised!

Examples:

1. Long HTML <TITLE>
2. Long embedded Document File Names
3. Large Alert Boxes


Unfortunately, all methods tested suffered from one major flaw -
inconsistency.

The assumption that a potential victim has a clean desktop (no open
apps) compounded
by the fact that most window elements encompasses some form of content
length restriction,
results in a very small opportunity for any realistic exploitation.

Except, for one particular approach......a JavaScript prompt box.

By employing a simple technique to invoke multiple occurrences of large
JavaScript prompt
Boxes, it is possible to flood/saturate the remoteness between
0x00600000 - 0x006F005B ++
with data of our choice, yielding very reliable execution of arbitrary
code.


Proof Of Concept:
-----------------

http://www.computerterrorism.com/research/ie/poc.htm


Temporary Solution:
-------------------

Until a patch is developed users are strongly advised to disable active
scripting for
non-trusted sites.


Vendor Status:
--------------

The original DoS vulnerability was brought to the public's attention on
the 31/05/2005
by Benjamin Tobias Franz. To date, the vendor has failed to publicly
acknowledge the
presence of the flaw, or provide any timescales for an appropriate fix.
Accordingly, as
of the date of this document, this vulnerability remains UNPATCHED,
affecting all users
of Microsoft Internet Explorer version 5.5 and 6.x respectively.





Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close