|
######################################### Application: Internet Explorer Vendors: http://www.microsoft.com Version: 6.0.2800 Platforms: Windows Bug: IE and MSN Messenger Memory_Access_Violation Risk: Critical Exploitation: Remote with browser Date: 07 May 2004 Author: Emmanouel Kellinis e-mail: me@cipher(dot)org(dot)uk web: http://www.cipher.org.uk List : BugTraq(SecurityFocus) ######################################### ======= Product ======= A popular Web browser, created by Microsoft, used to view pages on the World Wide Web. === Bug === Using onLoad and window.location method we can direct internet explorer to open a specific connection,file or webpage during the loading of lets say the < Body> of our html code. *(onLoad can be applied to almost any tag). if we want to redirect the page to a file localy to the user/visitor we use the file://c:\filename . Now , Instead of using a valid drive name we pass arbitary drive name using hexadecimal values. e.g. \xff:\filename or we can pass instead of a filename hex values as well. This abnormality overwrites 3 registers ECX EDX EDI . When we use the abnormal drive name we control the first 16bits of EDX and EDI. When the webpage with the malicious code loads, the three registers are overwritten and the impact of that is to corrupt the registry with IE Entries. The assocation of html/htm pages with internet explorer do not work and every shortcut of IE is not loading. Instead there is an error popup saying: You cant access this file,path,drive. Permission Denied. Noted that you dont have access to the temp directory as well. MSN Messenger is effected by the Memory Access Violation and it is crashing immediatelly after you login (sometimes the problem is fixed after restarting). Because of the nature of onload inside html tags there is a possibility that firewalls wont detect it as Javascript and they will let it load. (Mine didn't) ===================== Proof Of Concept Code ===================== Can be constructed out of the previous statements Proof of concept Posted to vendor. ========================================================= *PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt =========================================================