TUCoPS :: Browsers :: b06-2481.htm

TUCoPS :: Browsers :: b06-2481.htm
DoS Vulnerability in MS IE 6 SP2
DoS Vulnerability in MS IE 6 SP2 DoS Vulnerability in MS IE 6 SP2

-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: RIPEMD160=0D
=0D
 ---------------------------------------------------=0D
| BuHa Security-Advisory #12    |    May 25th, 2006 |=0D
 ---------------------------------------------------=0D
| Vendor   | MS Internet Explorer 6.0               |=0D
| URL | http://www.microsoft.com/windows/ie/ |=0D 
| Version  | <= 6.0.2900.2180.xpsp_sp2              |=0D
| Risk     | Low (Denial of Service)                |=0D
 ---------------------------------------------------=0D
=0D
o Description:=0D
==============0D
=0D
Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser=0D
made by Microsoft and currently available as part of Microsoft Windows.=0D
=0D
Visit http://www.microsoft.com/windows/ie/default.mspx or=0D 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.=0D 
=0D
o Denial of Service: #7d6d2db4=0D
====================0D
=0D
Following HTML code forces MS IE 6 to crash:=0D
>  =0D
=0D
Online-demo:=0D
http://morph3us.org/security/pen-testing/msie/ie60-1132901785453-7d6d2db4.html=0D 
=0D
These are the register values and the ASM dump at the time of the access=0D
violation:=0D
> eax=00000000 ebx=00000000 ecx=00e78d38 edx=00e7a704 esi=0012a268=0D
> edi=00000000 eip=7d6d2db4 esp=0012a228 ebp=0012a25c=0D
>=0D
>         7d6d2d7d e868f9ffff       call    mshtml+0x2226ea (7d6d26ea)=0D
>         7d6d2d82 50               push    eax=0D
>         7d6d2d83 e835f8ffff       call    mshtml+0x2225bd (7d6d25bd)=0D
>         7d6d2d88 85c0             test    eax,eax=0D
>         7d6d2d8a 8945f8           mov     [ebp-0x8],eax=0D
>         7d6d2d8d 0f85c4020000     jne     mshtml+0x223057 (7d6d3057)=0D
>         7d6d2d93 8b461c           mov     eax,[esi+0x1c]=0D
>         7d6d2d96 8b4e18           mov     ecx,[esi+0x18]=0D
>         7d6d2d99 8365f400         and     dword ptr [ebp-0xc],0x0=0D
>         7d6d2d9d 8365fc00         and     dword ptr [ebp-0x4],0x0=0D
>         7d6d2da1 8b7e14           mov     edi,[esi+0x14]=0D
>         7d6d2da4 8945f0           mov     [ebp-0x10],eax=0D
>         7d6d2da7 e88462e4ff       call    mshtml+0x69030 (7d519030)=0D
>         7d6d2dac 3bc7             cmp     eax,edi=0D
>         7d6d2dae 0f8402020000     je      mshtml+0x222fb6 (7d6d2fb6)=0D
> FAULT ->7d6d2db4 8b07             mov     eax,[edi]=0D
>                                           ds:0023:00000000=????????=0D
>         7d6d2db6 8bc8             mov     ecx,eax=0D
>         7d6d2db8 83e10f           and     ecx,0xf=0D
>         7d6d2dbb 49               dec     ecx=0D
>         7d6d2dbc 0f849c010000     je      mshtml+0x222f5e (7d6d2f5e)=0D
>         7d6d2dc2 49               dec     ecx=0D
>         7d6d2dc3 0f84b3000000     je      mshtml+0x222e7c (7d6d2e7c)=0D
>         7d6d2dc9 49               dec     ecx=0D
>         7d6d2dca 49               dec     ecx=0D
>         7d6d2dcb 746c             jz      mshtml+0x222e39 (7d6d2e39)=0D
>         7d6d2dcd 83e904           sub     ecx,0x4=0D
>         7d6d2dd0 0f85a5010000     jne     mshtml+0x222f7b (7d6d2f7b)=0D
>         7d6d2dd6 8bcf             mov     ecx,edi=0D
>         7d6d2dd8 e8482ffeff       call    mshtml+0x205d25 (7d6b5d25)=0D
>         7d6d2ddd 85c0             test    eax,eax=0D
>         7d6d2ddf 7430             jz      mshtml+0x222e11 (7d6d2e11)=0D
>         7d6d2de1 837e0400         cmp     dword ptr [esi+0x4],0x0=0D
=0D
This issue is a non-exploitable Null Pointer Dereference vulnerability and=0D
leads to DoS.=0D
=0D
o Vulnerable versions:=0D
======================0D
=0D
The DoS vulnerability was successfully tested on:=0D
> MS IE 6 SP2 - Win XP Pro SP2=0D
> MS IE 6     - Win 2k SP4=0D
=0D
o Disclosure Timeline:=0D
======================0D
=0D
xx Feb 06 - Vulnerabilities discovered.=0D
08 Mar 06 - Vendor contacted.=0D
22 Mar 06 - Vendor confirmed vulnerabilities.=0D
25 May 06 - Public release.=0D
=0D
o Solution:=0D
===========0D
=0D
I think - this is not an official statement from the Microsoft Security=0D
Response Center - the vulnerability will be fixed in an upcoming service=0D
pack.=0D
=0D
o Credits:=0D
==========0D
=0D
Thomas Waldegger =0D 
BuHa-Security Community - http://buha.info/board/=0D 
=0D
If you have questions, suggestions or criticism about the advisory feel=0D
free to send me a mail. The address 'bugtraq@morph3us.org' is more a=0D 
spam address than a regular mail address therefore it's possible that=0D
some mails get ignored. Please use the contact details at=0D
http://morph3us.org/ to contact me.=0D 
=0D
Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all=0D
members of BuHa.=0D
=0D
Advisory online: http://morph3us.org/advisories/20060525-msie6-sp2-1.txt=0D 
=0D
- --=0D
Don't you feel the power of CSS Layouts?=0D
BuHa-Security Community: http://buha.info/board/=0D 
=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: n/a=0D
Comment: http://morph3us.org/=0D 
=0D
iD8DBQFEdjPVkCo6/ctnOpYRAyHUAKCEVV7FWNe+R+n1LcnXBdJqLvPbPwCdEhsf=0D
xDEUBcvk88NUT5rLt8Vl0VU==0D
=4DXQ=0D
-----END PGP SIGNATURE-----=0D








TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH