A number of issues have been reported lately by various sources about Internet Explorer vulnerabilities in relation to specific COM objects. Research has shown that the root cause is the fact that these COM objects are not designed to be loaded in IE at all. These objects therefore make wrongful assumptions about the state of the process they are loaded into, specifically about the contents of heap memory. This can be abused to uncover unwanted features, like the ability to run arbitrary code on a victims machine.
035a6aa16f04f9d73cacf13f2f3a7db3188f82cf0bd18a282634937ba184ab53------=_Part_1173_32018819.1124329567242
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Disclaimer:
The information in this email is distributed WITHOUT ANY WARRANTY, TO THE
EXTENT PERMITTED BY APPLICABLE LAW; without even the implied warranty of
CORRECTNESS or FITNESS FOR A PARTICULAR PURPOSE. You know the drill...
Affected products:
Various COM objects when loaded in Microsoft Internet Explorer.
Extend:
DoS and remote arbitrary code execution.
Patches:
MS05-037 and MS05-38
See below for additional killbit.
Exploits:
Internet Exploiter 4 will not be released to the public in the near future.
Public exploits based on Internet Exploiter have been written by third
parties for a number of affected objects. They are available on the net
from various sources.
Short description:
A number of issues have been reported lately by various sources about
Internet Explorer vulnerabilities in relation to specific COM objects.
Research has shown that the root cause is the fact that these COM objects
are not designed to be loaded in IE at all. These objects therefore make
wrongful assumptions about the state of the process they are loaded into,
specifically about the contents of heap memory. This can be abused to
uncover unwanted features, like the ability to run arbitrary code on a
victims machine.
Short History:
On June 24th 2002 'ken'@FTU reported a NULL-pointer exception in IE when
loading a specific COM object. The object was mmsys.cpl which uses
clsid:{00022613-0000-0000-C000-000000000046}. The issue was discarded as
a low impact DoS.
On April 18th 2005, Further research revealed that this was in fact a
problem with the COM object reusing previously freed memory without
initialising it. Part of the reused memory was used as a function pointer.
Careful allocating and freeing of memory prior to loading the object
allowed remote code execution on Win2K. Internet Exploiter 4 was born.
(This vulnerability does NOT seem to be exploitable on WinXPSP2, as claimed
by FrSIRT in their MS05-038 exploit)
On June 17th 2005, Bernhard M=FCller and Martin Eiszner found a similar iss=
ue
when loading javaprxy.dll and released their information to the public.
On July 2nd, August 9th and August 17th 2005, FrSIRT released shamelessly
ripped code that claims to exploit a number of these objects. While failing
to work on most occasions through lack of finesse, it does prove that even
script-kiddies can easily write exploits by copy-pasting my Internet
Exploiter heap spraying code. It takes so little effort that it might
actually cost you more time to add proper credits to the original author
of the code.
Solution:
I've been working with the Internet Explorer team on short term and long
term solutions. The latest patch (MS05-038) will "killbit" a number of
objects that were found to have issues when loaded in IE. These killbits
prevent exploits from loading these objects and abusing this vulnerability.
The latest exploit by FrSIRT targets "msdss.dll" with clsid=20
EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F, which is not killbitted by ms05-038.
I was unable to reproduce the vulnerability with version 7.10.3077.0 of the
dll; the object doesn't even crash. From what I've heard everybody else=20
seems to be unaffected too, so maybe it's just a local .fr thing.
Just in case, here's a .reg file you can use to killbit this control;
Create a new .txt file, copy+paste this into it, rename it to .reg, double
click it and say "yes, I want to add it to the registry."
!!! Lines may wrap, you might have to remove the extra line-breaks !!!
---- cut here ----
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX=20
Compatibility\{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}]
"Compatibility Flags"=3Ddword:00000400
---- cut here ----
If you want to test if it works, here's a .html file that will show you;
Create a new .txt file, copy+paste this into it, rename it to .html, double
click and it will tell you if you are safe (the object cannot be loaded)
or if you might be vulnerable to this attack (the object can be loaded):
---- cut here ---
<OBJECT
onreadystatechange=3D"document.write('<I>Possibly</I> Vulnerable...');"
onerror=3D"document.write('You should be safe!');"
classid=3D"clsid:{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}"
></OBJECT>
---- cut here ---
Greets:
Paul@greyhats, st0ke@milworm, 0dd, 0x4553, l33tsecurity, NGS.
Anti-Greets:
FrSIRT (I thought I was special, turns out they rip-off everybody's code!)
Cheers,
SkyLined
------=_Part_1173_32018819.1124329567242
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<p>Disclaimer:<br> The information in this email is distr=
ibuted WITHOUT ANY WARRANTY, TO THE<br> EXTENT PERMITTED =
BY APPLICABLE LAW; without even the implied warranty of<br> &nbs=
p; CORRECTNESS or FITNESS FOR A PARTICULAR PURPOSE. You know the drill...
</p>
<p>Affected products:<br> Various COM objects when loaded=
in Microsoft Internet Explorer.</p>
<p>Extend:<br> DoS and remote arbitrary code execution.</=
p>
<p>Patches:<br> MS05-037 and MS05-38<br>  =
; See below for additional killbit.<br>Exploits:<br> Inte=
rnet Exploiter 4 will not be released to the public in the near future.<br>=
Public exploits based on Internet Exploiter have been wr=
itten by third
<br> parties for a number of affected objects. They are a=
vailable on the net<br> from various sources.</p>
<p>Short description:<br> A number of issues have been re=
ported lately by various sources about<br> Internet Explo=
rer vulnerabilities in relation to specific COM objects.<br> &nb=
sp; Research has shown that the root cause is the fact that these COM objec=
ts
<br> are not designed to be loaded in IE at all. These ob=
jects therefore make<br> wrongful assumptions about the s=
tate of the process they are loaded into,<br> specificall=
y about the contents of heap memory. This can be abused to
<br> uncover unwanted features, like the ability to run a=
rbitrary code on a<br> victims machine.<br> &n=
bsp; <br>Short History:<br> On June 24th 2002 <a href=3D"=
mailto:'ken'@FTU">'ken'@FTU</a> reported a NULL-pointer exception in IE whe=
n
<br> loading a specific COM object. The object was mmsys.=
cpl which uses<br> clsid:{00022613-0000-0000-C000-0000000=
00046}. The issue was discarded as<br> a low impact DoS.<=
/p>
<p> On April 18th 2005, Further research revealed that th=
is was in fact a<br> problem with the COM object reusing =
previously freed memory without<br> initialising it. Part=
of the reused memory was used as a function pointer.
<br> Careful allocating and freeing of memory prior to lo=
ading the object<br> allowed remote code execution on Win=
2K. Internet Exploiter 4 was born.<br> (This vulnerabilit=
y does NOT seem to be exploitable on WinXPSP2, as claimed
<br> by FrSIRT in their MS05-038 exploit)<br> =
On June 17th 2005, Bernhard M=FCller and Martin Eiszner found a simi=
lar issue<br> when loading javaprxy.dll and released thei=
r information to the public.<br> <br> O=
n July 2nd, August 9th and August 17th 2005, FrSIRT released shamelessly
<br> ripped code that claims to exploit a number of these=
objects. While failing<br> to work on most occasions thr=
ough lack of finesse, it does prove that even<br> script-=
kiddies can easily write exploits by copy-pasting my Internet
<br> Exploiter heap spraying code. It takes so little eff=
ort that it might<br> actually cost you more time to add =
proper credits to the original author<br> of the code.</p=
>
<p>Solution:<br> I've been working with the Internet Expl=
orer team on short term and long<br> term solutions. The =
latest patch (MS05-038) will "killbit" a number of<br>  =
; objects that were found to have issues when loaded in IE. These kil=
lbits
<br> prevent exploits from loading these objects and abus=
ing this vulnerability.</p>
<p> The latest exploit by FrSIRT targets "msdss.dll&=
quot; with clsid <br> EC444CB6-3E7E-4865-B1C3-0DE72EF39B3=
F, which is not killbitted by ms05-038.<br> I was unable =
to reproduce the vulnerability with version=20
7.10.3077.0 of the<br> dll; the object doesn't even crash=
. From what I've heard everybody else <br> seems to be un=
affected too, so maybe it's just a local .fr thing.<br> J=
ust in case, here's a .reg file you can use to killbit this control;
<br> Create a new .txt file, copy+paste this into it, ren=
ame it to .reg, double<br> click it and say "yes, I =
want to add it to the registry."<br> !!! Lines may w=
rap, you might have to remove the extra line-breaks !!!
<br>---- cut here ----<br>Windows Registry Editor Version 5.00</p>
<p>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compati=
bility\{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}]<br>"Compatibility Flags=
"=3Ddword:00000400<br>---- cut here ----<br> If you =
want to test if it works, here's a .html file that will show you;
<br> Create a new .txt file, copy+paste this into it, ren=
ame it to .html, double<br> click and it will tell you if=
you are safe (the object cannot be loaded)<br> or if you=
might be vulnerable to this attack (the object can be loaded):
<br>---- cut here ---<br><OBJECT<br> onreadystatechang=
e=3D"document.write('<I>Possibly</I> Vulnerable...');"=
;<br> onerror=3D"document.write('You should be safe!=
');"<br> classid=3D"clsid:{EC444CB6-3E7E-4865-B=
1C3-0DE72EF39B3F}"
<br>></OBJECT><br>---- cut here ---<br> <br>Greets:<br> =
<a href=3D"mailto:Paul@greyhats">Paul@greyhats</a>, <a href=3D=
"mailto:st0ke@milworm">st0ke@milworm</a>, 0dd, 0x4553, l33tsecurity, NGS.<b=
r> <br>Anti-Greets:<br>
FrSIRT (I thought I was special, turns out they rip-off =
everybody's code!)<br> <br>Cheers,<br>SkyLined</p>
------=_Part_1173_32018819.1124329567242--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed