[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ef867e560603181519w3735e4a6w@mail.gmail.com>
Date: Sat, 18 Mar 2006 19:19:27 -0400
From: "Manuel Moreno Leiva" <morenoleiva@...il.com>
To: "Michal Zalewski" <lcamtuf@...ne.ids.pl>
Cc: full-disclosure@...ts.grok.org.uk, vulnwatch@...nwatch.org,
bugtraq@...urityfocus.com
Subject: Re: Remote overflow in MSIE script action
handlers (mshtml.dll)
great exploit.. works fine in my workstation
i have WinXp Sp2 IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
you have a exploit usable for this?
Best Regards
Manuel Moreno
AsesoriaPC
Stgo,Chile
2006/3/16, Michal Zalewski <lcamtuf@...ne.ids.pl>:
> Good morning,
>
> This might not come as a surprise, but there appears to be a *very*
> interesting and apparently very much exploitable overflow in Microsoft
> Internet Explorer (mshtml.dll).
>
> This vulnerability can be triggered by specifying more than a couple
> thousand script action handlers (such as onLoad, onMouseMove, etc) for any
> single HTML tag. Due to a programming error, MSIE will then attempt to
> write memory array out of bounds, at an offset corresponding to the ID of
> the script action handler multiplied by 4 (due to 32-bit address clipping,
> the result is a small positive integer).
>
> The list of IDs can be found on the Web, and is as follows (values in
> parentheses = resulting offsets):
>
> onhelp = 0x8001177d (+0x45df4)
> onclick = 0x80011778 (+0x45de0)
> ondblclick = 0x80011779 (+0x45de4)
> onkeyup = 0x80011776 (+0x45dd8)
> onkeydown = 0x80011775 (+0x45dd4)
> onkeypress = 0x80011777 (+0x45ddc)
> onmouseup = 0x80011773 (+0x45dcc)
> onmousedown = 0x80011772 (+0x45dc8)
> onmousemove = 0x80011774 (+0x45dd0)
> onmouseout = 0x80011771 (+0x45dc4)
> onmouseover = 0x80011770 (+0x45dc0)
> onreadystatechange = 0x80011789 (+0x45e24)
> onafterupdate = 0x80011786 (+0x45e18)
> onrowexit = 0x80011782 (+0x45e08)
> onrowenter = 0x80011783 (+0x45e0c)
> ondragstart = 0x80011793 (+0x45e4c)
> onselectstart = 0x80011795 (+0x45e54)
>
> What happens next depends on the structure of the page in which the
> malicious tag is embedded, as well as previously visited page and
> previously initialized extensions (all these factors can be controlled by
> the attacker).
>
> When the offending page contains no additional elements, and the user is
> not redirected from elsewhere, the browser will typically crash
> immediately, because there is no allocated memory at the resulting offset.
> In all other cases, crashes will typically occur later, due to attempted
> use of unrelated but corrupted in-memory buffers -for example, when the
> user attempts to leave or reload the page. Another good example is coming
> from a page that contains Macromedia Flash - this usually causes the Flash
> plugin itself to choke on corrupted memory on cleanup.
>
> For non-believers, there's a short but fiery demonstration page available
> at http://lcamtuf.coredump.cx/iedie.html (yes, it will probably crash your
> browser).
>
> Tested on MSIE 6.0.2900.2180.xpsp2.040806-1825 on Windows XP SP2. As far
> as I can tell, other browser makes (Firefox, Opera) are not susceptible to
> this attack.
>
> I eagerly await due reprimend from Microsoft for not disclosing this
> vulnerability in a manner that benefits them most, not passing start, not
> collecting $200 (from iDefense?).
>
> Regards,
> /mz
> http://lcamtuf.coredump.cx/silence/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists