TUCoPS :: Browsers :: b06-1166.htm

TUCoPS :: Browsers :: b06-1166.htm
Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution

Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution


Computer Terrorism  (UK) :: Incident Response Centre
=====================================

Security Advisory :: CT22-03-2006
-------------------------------------------


Title:			Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution

Organisation:		Computer Terrorism (UK)
Web:			www.computerterrorism.com 
Advisory Date:		22nd March, 2006


Affected Software:		Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity: 			Critical
Impact:			Remote System Access
Solution Status:		** UNPATCHED **


Overview:
-------------
 
Pursuant to the publication of the aforementioned bug/vulnerability, this document serves as a preliminary Security Advisory for users of Microsoft Internet Explorer version 6 and 7 Beta 2.

Successful exploitation will allow a remote attacker to execute arbitrary code against a fully patched Windows XP system, yielding system access with privileges of the underlying user.

 

Technical Narrative:
-------------------------
 
As per the publication, the bug originates from the use of a createTextRange() method, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. 
 
As a result, IE encounters an exception when trying to call a deferenced 32bit address, as highlighted by the following sniplet of code.
 
0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
..
0x7D53C166 CALL DWORD PTR [ECX]
 
Due to the incorrect reference, ECX points to a very remote, non-existent memory location, causing IE to crash (DoS). However, although the location is some what distant, history dictates that a condition of this nature is conducive towards reliable exploitation.
 
 
Proof of Concept:
-----------------------
 
Computer Terrorism (UK) can confirm the production of reliable proof of concept (PoC) for this vulnerability (tested on Windows XP SP2). However, until a patch is developed, we will NOT be publicly disclosing our research.



Temporary Solution:
-------------------------
 
Users are advised to disable active scripting for non-trusted sites until a patch is released.
 

Vendor Status:
--------------------
 
The Vendor has been informed of all aspects of this new vulnerability (including PoC), but as of the date of the document, this vulnerability is UNPATCHED.