TUCoPS :: Browsers :: b06-2482.htm

HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2
MS06-013: HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2
MS06-013: HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2


-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: RIPEMD160=0D
=0D
 ---------------------------------------------------=0D
| BuHa Security-Advisory #13    |    May 25th, 2006 |=0D
 ---------------------------------------------------=0D
| Vendor   | MS Internet Explorer 6.0               |=0D
| URL | http://www.microsoft.com/windows/ie/ |=0D 
| Version  | <= 6.0.2900.2180.xpsp_sp2              |=0D
| Risk     | Critical (Memory Corruption)           |=0D
 ---------------------------------------------------=0D
=0D
The Microsoft Security Response Center rated following issues as=0D
critical because, on the face of it, they could produce an exploitable=0D
memory corruption (see HTML Tag Memory Corruption Vulnerability -=0D
CVE-2006-1188 [1]) with a variant of my PoC.=0D
=0D
o Description:=0D
==============0D
=0D
Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser=0D
made by Microsoft and currently available as part of Microsoft Windows.=0D
=0D
Visit http://www.microsoft.com/windows/ie/default.mspx or=0D 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.=0D 
=0D
o Memory Corruption Vulnerability: #7d519030=0D
==================================0D
=0D
Following HTML code forces IE 6 to crash:=0D
>  =0D">"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">=0D 
>   
    
=0D
> 
=0D
> =0D
> =0D
> =0D
> 
    =0D
> =0D
> 
    =0D
> 
    =0D
>  =0D
> =0D
> =0D
> =0D
>  =0D
>=0D
> =0D
> 
    =0D
> =0D
> 
=0D
=0D
Online-demo:=0D
http://morph3us.org/security/pen-testing/msie/ie60-1135035582812-7d519030.html=0D 
=0D
These are the register values and the ASM dump at the time of the access=0D
violation:=0D
> eax=00000000 ebx=0012e88c ecx=00000000 edx=0012e7c0 esi=00000000=0D
> edi=00000004 eip=7d519030 esp=0012e780 ebp=0012e894=0D
>=0D
>         7d519012 55               push    ebp=0D
>         7d519013 8bec             mov     ebp,esp=0D
>         7d519015 8b4104           mov     eax,[ecx+0x4]=0D
>         7d519018 394508           cmp     [ebp+0x8],eax=0D
>         7d51901b 7c09             jl      mshtml+0x69026 (7d519026)=0D
>         7d51901d 7edc             jle     mshtml+0x68ffb (7d518ffb)=0D
>         7d51901f 33c0             xor     eax,eax=0D
>         7d519021 40               inc     eax=0D
>         7d519022 5d               pop     ebp=0D
>         7d519023 c20800           ret     0x8=0D
>         7d519026 83c8ff           or      eax,0xffffffff=0D
>         7d519029 ebf7             jmp     mshtml+0x69022 (7d519022)=0D
>         7d51902b 90               nop=0D
>         7d51902c 90               nop=0D
>         7d51902d 90               nop=0D
>         7d51902e 90               nop=0D
>         7d51902f 90               nop=0D
> FAULT ->7d519030 8b4108           mov     eax,[ecx+0x8]=0D
>                                           ds:0023:00000008=????????=0D
>         7d519033 85c0             test    eax,eax=0D
>         7d519035 7425             jz      mshtml+0x6905c (7d51905c)=0D
>         7d519037 8b10             mov     edx,[eax]=0D
>         7d519039 f6c210           test    dl,0x10=0D
>         7d51903c 7408             jz      mshtml+0x69046 (7d519046)=0D
>         7d51903e f6c220           test    dl,0x20=0D
>         7d519041 7519             jnz     mshtml+0x6905c (7d51905c)=0D
>         7d519043 8b400c           mov     eax,[eax+0xc]=0D
>         7d519046 8b4808           mov     ecx,[eax+0x8]=0D
>         7d519049 85c9             test    ecx,ecx=0D
=0D
o Memory Corruption Vulnerability: #7d529d35=0D
==================================0D
=0D
Following HTML code forces IE 6 to crash:=0D
>  =0D">"http://www.w3.org/TR/html4/loose.dtd">=0D 
> =0D
>     =0D
> 
=0D
>=0D
> =0D
> 
=0D
> =0D
> =0D
> =0D
> =0D
> =0D
> =0D
> =0D
> 
=0D
> =0D
> =0D
>=0D
> =0D
> =0D
> =0D
> =0D
> =0D
> =0D
> =0D
>=0D
>=0D
> =0D
> 
=0D
>