__________________________________________________________________ Insomnia Security Vulnerability Advisory: ISVA-081209.1 ___________________________________________________________________ Name: IE Webdav Request Parsing Heap Corruption Vulnerability Released: 09 December 2008 Vendor Link: http://www.microsoft.com/ Affected Products: Microsoft Internet Explorer 7 Running On Vista Requires Office 2007 Original Advisory: http://www.insomniasec.com/advisories/ISVA-081209.1.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___________________________________________________________________ _______________ Description _______________ A vulnerability was found in the way that webdav requests are cached and then later retrieved by Internet Explorer. This results in the use of uninitialized memory which under the right situation can lead to command execution. _______________ Details _______________ When Internet Explorer loads a file from a webdav share, a copy of the file is stored in \Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV This copy is used as the cached version of the file, and is loaded if a page refresh is done. If the size of the requested file is larger that 190 characters then the webdav handling service will not save it correctly. Internet Explorer assumes that the file was stored, and is cached, so when a refresh is done it attempts to load the file information from the cached data. This leads to a heap corruption with various values read that lead to exploitable conditions. _______________ Solution _______________ Microsoft have released a security update to address this issue; http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx _______________ Legals _______________ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___________________________________________________________________ Insomnia Security Vulnerability Advisory: ISVA-081209.1 ___________________________________________________________________