TUCoPS :: Browsers :: v7-2207.htm

DoS vuln in M$ IE 6 SP2 #2
DoS Vulnerability in M$ IE 6 SP2 #2
DoS Vulnerability in M$ IE 6 SP2 #2

Hash: SHA1

| BuHa Security-Advisory #5     |    Dec 24th, 2005 |
| Vendor   | M$ Internet Explorer 6.0               |
| URL | http://www.microsoft.com/windows/ie/ | 
| Version  | <= 6.0.2900.2180.xpsp_sp2              |
| Risk     | Low (DoS - Null Read Dereference)      |
o Description:
Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. 

o Denial of Service: #7d6c74b1
Following HTML code forces M$ IE 6 to crash:

    > > > > > > > Online-demo: http://morph3us.org/security/pen-testing/msie/ie60-1132900490843-7d6c74b1.html These are the register values and the ASM dump at the time of the access violation: eax=0129040a ebx=0129ef30 ecx=00000001 edx=012945f0 esi=00000000 edi=0012b3a8 eip=7d6c74b1 esp=0012b280 ebp=0012b2a8 cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 7d6c748b 6a0b push 0xb 7d6c748d 33c0 xor eax,eax 7d6c748f 59 pop ecx 7d6c7490 8bfe mov edi,esi 7d6c7492 f3ab rep stosd 7d6c7494 8b45f8 mov eax,[ebp-0x8] 7d6c7497 8906 mov [esi],eax 7d6c7499 897228 mov [edx+0x28],esi 7d6c749c e9af010000 jmp mshtml+0x217650 (7d6c7650) 7d6c74a1 8b4728 mov eax,[edi+0x28] 7d6c74a4 8b7028 mov esi,[eax+0x28] 7d6c74a7 897728 mov [edi+0x28],esi 7d6c74aa 8b4320 mov eax,[ebx+0x20] 7d6c74ad 668b4002 mov ax,[eax+0x2] FAULT ->7d6c74b1 8b4e24 mov ecx,[esi+0x24] ds:0023:00000024=???????? 7d6c74b4 66250030 and ax,0x3000 7d6c74b8 662d0010 sub ax,0x1000 7d6c74bc 66f7d8 neg ax 7d6c74bf 897510 mov [ebp+0x10],esi 7d6c74c2 1bc0 sbb eax,eax 7d6c74c4 40 inc eax 7d6c74c5 50 push eax 7d6c74c6 e80c8efeff call mshtml+0x2002d7 (7d6b02d7) 7d6c74cb 0fb6c0 movzx eax,al 7d6c74ce 48 dec eax 7d6c74cf 83f80c cmp eax,0xc 7d6c74d2 0f877b010000 jnbe mshtml+0x217653 (7d6c7653) 7d6c74d8 ff2485c7796c7d jmp dword ptr [mshtml+0x2179c7 (7d6c79c7)+eax*4] 7d6c74df 8b4e20 mov ecx,[esi+0x20] 7d6c74e2 f6410208 test byte ptr [ecx+0x2],0x8 7d6c74e6 7419 jz mshtml+0x217501 (7d6c7501) 7d6c74e8 8b45fc mov eax,[ebp-0x4] 7d6c74eb ff7014 push dword ptr [eax+0x14] 7d6c74ee 8b4610 mov eax,[esi+0x10] 7d6c74f1 03460c add eax,[esi+0xc] 7d6c74f4 50 push eax 7d6c74f5 e899ba0100 call mshtml+0x232f93 (7d6e2f93) It appears to be a null read dereference crash which is not exploitable. o Vulnerable versions: ==================== The DoS vulnerability was successfully tested on: > M$ IE 6 SP2 - Win XP Pro SP2 > M$ IE 6 - Win 2k SP4 o Disclosure Timeline: ==================== 26 Nov 05 - DoS vulnerability discovered. 15 Dec 05 - Vendor contacted. 20 Dec 05 - Vendor confirmed vulnerability. 24 Dec 05 - Public release. o Solution: ========= There is no patch yet. The vulnerability will be fixed in an upcoming service pack according to the Microsoft Security Response Center. o Credits: ======== Christian Deneke - -- Thomas Waldegger BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@morph3us.org' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at morph3us.org to contact me. Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-2.txt -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFDrdsUkCo6/ctnOpYRAuyKAKCs+kRe0D9LEpRSaBV8skBLrIWzPACfS4mU 07WulbyPImV5j9zbwi56gOo=JX5G -----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH