lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANvT6Ohg9XydALmF882-uhS_1UAHWGcrEjC+ODNzBaX_-k3d9g@mail.gmail.com>
Date: Thu, 13 Oct 2011 01:01:30 +0200
From: Ivan Fratric <ifsecure@...il.com>
To: bugtraq@...urityfocus.com
Subject: Two Remote Code Execution Vulnerabilities in Internet Explorer

#######################################################################
Vulnerability 1: Internet Explorer Select Element Remote Code Execution
#######################################################################

Original advisory:
http://ifsec.blogspot.com/2011/10/internet-explorer-select-element-remote.html

I. OVERVIEW

There is a vulnerability in Internet Explorer which enables execution
of arbitrary code if the user visits a web page controlled by the
attacker. The vulnerability is caused by incorrectly validating
integer parameter passed to the 'add' method of the Select HTML
element. This vulnerability has been observed in Internet Explorer 8.
The vulnerability has been patched by Microsoft on October 11, 2011.

II. THE BUG

The bug is caused by incorrectly validating integer parameter passed
to the 'add' method of the Select HTML element under certain
conditions. The 'add' method of the Select HTML element is used to add
an Option to the Select element. It accepts two parameters:
1. An Option object to be added
2. An integer, specifying the index of the new Option element
Under certain conditions, the second parameter is not properly
validated, which can lead to corrupting memory at arbitrary address
and, in turn, code execution.

III. IMPACT

The vulnerability can be used to execute arbitrary code in the context
of the currently logged in user if the user visits a specially crafted
web page. JavaScript needs to be enabled in order for the attacker to
be able to exploit the vulnerability (it is enabled by default in all
versions of Internet Explorer).

IV. PoC

A PoC exploit that demonstrates reliable code execution on Internet
Explorer 8 on Windows 7 SP1 has been developed. The release of the
exploit code is planned on a later date, once everyone has had plenty
of time to patch.
However, the description of the method that was used to bypass ASLR
and otherwise enable reliable code execution can be found here:
http://ifsec.blogspot.com/2011/06/memory-disclosure-technique-for.html

V. REFERENCES

http://ifsec.blogspot.com/2011/10/internet-explorer-select-element-remote.html
http://technet.microsoft.com/en-us/security/bulletin/ms11-081
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1999
http://www.zerodayinitiative.com/advisories/published/


#######################################################################
Vulnerability 2: Internet Explorer Option Element Remote Code Execution
#######################################################################

Original advisory:
http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html

I. OVERVIEW

There is a vulnerability in Internet Explorer which enables execution
of arbitrary code if the user visits a web page controlled by the
attacker. The vulnerability is caused by an use-after-free bug
triggered by accessing a previously deleted Option element. This
vulnerability has been observed in Internet Explorer versions 6, 7 and
8. The vulnerability has been patched by Microsoft on October 11,
2011.

II. THE BUG

In Internet Explorer, the implementation of Select HTML element
contains an array of pointers to the Option elements the Select
element contains. This array is called the Option cache. Normally,
whenever an Option element inside a Select element is accessed via
JavaScript, Option cache is rebuilt, thus ensuring its consistency.
However, there are some JavaScript methods that can be used to delete
and modify the Option elements contained inside the Select element
without rebuilding the Option cache. In combination, these methods
enable modifying a previously deleted Option element.

III. IMPACT

The vulnerability can be used to execute arbitrary code in the context
of the currently logged in user if the user visits a specially crafted
web page. JavaScript needs to be enabled in order for the attacker to
be able to exploit the vulnerability (it's enabled by default in all
versions of Internet Explorer).

IV. PoC

An PoC exploit that demonstrates code execution has been developed.
However, due to the severity of the vulnerability, release of the
exploit code is not planned at this time.

V. REFERENCES

http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html
http://technet.microsoft.com/en-us/security/bulletin/ms11-081
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1996
http://www.zerodayinitiative.com/advisories/published/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ