TUCoPS :: Browsers :: v7-2207.htm

DoS vuln in M$ IE 6 SP2 #2
DoS Vulnerability in M$ IE 6 SP2 #2
DoS Vulnerability in M$ IE 6 SP2 #2


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 ---------------------------------------------------
| BuHa Security-Advisory #5     |    Dec 24th, 2005 |
 ---------------------------------------------------
| Vendor   | M$ Internet Explorer 6.0               |
| URL | http://www.microsoft.com/windows/ie/ | 
| Version  | <= 6.0.2900.2180.xpsp_sp2              |
| Risk     | Low (DoS - Null Read Dereference)      |
 ---------------------------------------------------
 
o Description:
============
Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or 
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. 

o Denial of Service: #7d6c74b1
==================
Following HTML code forces M$ IE 6 to crash:
> 
> 
      
> 
    
> 
> 
> 
> 
> 
> 
> 

Online-demo: 
http://morph3us.org/security/pen-testing/msie/ie60-1132900490843-7d6c74b1.html 

These are the register values and the ASM dump at the time of the access
violation:
eax=0129040a ebx=0129ef30 ecx=00000001 edx=012945f0 esi=00000000
edi=0012b3a8 eip=7d6c74b1 esp=0012b280 ebp=0012b2a8
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000  efl=00000246

        7d6c748b 6a0b             push    0xb
        7d6c748d 33c0             xor     eax,eax
        7d6c748f 59               pop     ecx
        7d6c7490 8bfe             mov     edi,esi
        7d6c7492 f3ab             rep     stosd
        7d6c7494 8b45f8           mov     eax,[ebp-0x8]
        7d6c7497 8906             mov     [esi],eax
        7d6c7499 897228           mov     [edx+0x28],esi
        7d6c749c e9af010000       jmp     mshtml+0x217650 (7d6c7650)
        7d6c74a1 8b4728           mov     eax,[edi+0x28]
        7d6c74a4 8b7028           mov     esi,[eax+0x28]
        7d6c74a7 897728           mov     [edi+0x28],esi
        7d6c74aa 8b4320           mov     eax,[ebx+0x20]
        7d6c74ad 668b4002         mov     ax,[eax+0x2]
FAULT ->7d6c74b1 8b4e24           mov     ecx,[esi+0x24]
                                          ds:0023:00000024=????????
        7d6c74b4 66250030         and     ax,0x3000
        7d6c74b8 662d0010         sub     ax,0x1000
        7d6c74bc 66f7d8           neg     ax
        7d6c74bf 897510           mov     [ebp+0x10],esi
        7d6c74c2 1bc0             sbb     eax,eax
        7d6c74c4 40               inc     eax
        7d6c74c5 50               push    eax
        7d6c74c6 e80c8efeff       call    mshtml+0x2002d7 (7d6b02d7)
        7d6c74cb 0fb6c0           movzx   eax,al
        7d6c74ce 48               dec     eax
        7d6c74cf 83f80c           cmp     eax,0xc
        7d6c74d2 0f877b010000     jnbe    mshtml+0x217653 (7d6c7653)
        7d6c74d8 ff2485c7796c7d   jmp     dword ptr [mshtml+0x2179c7
                                          (7d6c79c7)+eax*4]
        7d6c74df 8b4e20           mov     ecx,[esi+0x20]
        7d6c74e2 f6410208         test    byte ptr [ecx+0x2],0x8
        7d6c74e6 7419             jz      mshtml+0x217501 (7d6c7501)
        7d6c74e8 8b45fc           mov     eax,[ebp-0x4]
        7d6c74eb ff7014           push    dword ptr [eax+0x14]
        7d6c74ee 8b4610           mov     eax,[esi+0x10]
        7d6c74f1 03460c           add     eax,[esi+0xc]
        7d6c74f4 50               push    eax
        7d6c74f5 e899ba0100       call    mshtml+0x232f93 (7d6e2f93)

It appears to be a null read dereference crash which is not exploitable.


o Vulnerable versions:
====================
The DoS vulnerability was successfully tested on:
> M$ IE 6 SP2 - Win XP Pro SP2
> M$ IE 6     - Win 2k SP4


o Disclosure Timeline:
====================
26 Nov 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
20 Dec 05 - Vendor confirmed vulnerability.
24 Dec 05 - Public release.

o Solution:
=========
There is no patch yet. The vulnerability will be fixed in an upcoming 
service pack according to the Microsoft Security Response Center.


o Credits:
========
Christian Deneke  

- --

Thomas Waldegger  
BuHa-Security Community - http://buha.info/board/ 

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a 
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at morph3us.org
to contact me.

Greets fly out to cyrus-tc, destructor, rhy, trappy and all members of BuHa.

Advisory online: http://morph3us.org/advisories/20051224-msie6-sp2-2.txt 

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/ 

iD8DBQFDrdsUkCo6/ctnOpYRAuyKAKCs+kRe0D9LEpRSaBV8skBLrIWzPACfS4mU
07WulbyPImV5j9zbwi56gOo=JX5G
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH