Bugtraq mailing list archives

Re: Remote overflow in MSIE script action handlers (mshtml.dll)

From: <c0redump () ackers org uk>
Date: Sat, 18 Mar 2006 11:07:33 -0000

Just to add to this again before we get sick of going on about it.

Some people have been reporting different things, namely that you must onlyhave one IE window open so that the other buffers cannot "absorb" theattack. However,


Test 1:

No IE windows open, clicked on exploit link, launches IE - sometimes justcloses with no error, sometimes " The instruction at '0x7d525dcd' referencedmemory at '0x00009506'. The memory could not be 'read' " came up.


Test 2:

One IE window open already, opened up second one on exploit link - onlysecond window died. Same with two windows open already, three and so on;just the actual IE window that is rendering the mshtml.dll exploit dies.


Obviously it's not sharing memory between the different instances of IE.

As I said before, Win XP SP2, all the lovely patches. (IE6.0.2900.2180.xpsp_sp2_gdr.050301-1519)


c0redump
#hacktech @ undernet

----- Original Message -----From: Master Phoxpherus

To: lcamtuf () dione ids pl
Cc: bugtraq () securityfocus com
Sent: Thursday, March 16, 2006 10:05 PM
Subject: Re: Remote overflow in MSIE script action handlers (mshtml.dll)

Hmm. I'm running a Windows 98 SE box and just tried what you said. Didn't
effect me "instantly" or after a time period. You sure you're not just
seeing shit? :P

Plus, keeping it real, there's a fair difference between a BoF that you can
perform easily remotely, and a BoF you have to talk people into. "Hey,
dude... can you just type <command> and if it don't work, hit refresh a few
times?" ... can you see it?

On Thu, 16 Mar 2006, Daniel Bonekeeper wrote:

> BTW, tested the POC on MSIE (File Version = 6.00.2900.2180
> (xpsp_sp2_rtm.040803-2158)) with mshtml.dll (6.00.2900.2802
> (xpsp_sp2_gdr.051123-1230)) and it didn't worked.

Daniel followed up with me in private and confirmed that the PoC *did*
work for him when he followed certain additional instructions: because the
attack depends on memory layout and usage, to get consistent results, be
sure to close *all* MSIE windows, then go to Start -> Run... and type:

  iexplore http://lcamtuf.coredump.cx/iedie.html

That should crash the browser immediately, because there are no other
buffers nearby to "absorb" the initial fencepost. Still, if no dice, try
hitting 'Reload' a couple of times.

/mz


_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger

7.5 today! http://messenger.msn.co.uk

Current thread:

Remote overflow in MSIE script action handlers (mshtml.dll) Michal Zalewski (Mar 16)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) Daniel Bonekeeper (Mar 16)
  - Re: Remote overflow in MSIE script action handlers (mshtml.dll) Michal Zalewski (Mar 16)
    - Re: Remote overflow in MSIE script action handlers (mshtml.dll) Hariharan (Mar 17)
    - Re: Remote overflow in MSIE script action handlers (mshtml.dll) Michal Zalewski (Mar 17)
    - Re: Remote overflow in MSIE script action handlers (mshtml.dll) Tomasz Onyszko (Mar 17)
    - Re: Remote overflow in MSIE script action handlers (mshtml.dll) Master Phoxpherus (Mar 17)
    - Re: Remote overflow in MSIE script action handlers (mshtml.dll) Michal Zalewski (Mar 17)
    - Re: Remote overflow in MSIE script action handlers (mshtml.dll) c0redump (Mar 20)
    - Re: Remote overflow in MSIE script action handlers (mshtml.dll) Jamie Riden (Mar 17)
- <Possible follow-ups>
- RE: Remote overflow in MSIE script action handlers (mshtml.dll) David Schenz (Mar 17)
- Re: Remote overflow in MSIE script action handlers (mshtml.dll) c0redump (Mar 17)
- Re: Re: Remote overflow in MSIE script action handlers (mshtml.dll) Nazca (Mar 17)
  - Re: Re: Remote overflow in MSIE script action handlers (mshtml.dll) Phil Frederick (Mar 20)
  - Re: Remote overflow in MSIE script action handlers (mshtml.dll) Steve Shockley (Mar 20)