lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <005601c64dc5$f6609a60$0a01a8c0@user1>
Date: Wed Mar 22 16:45:44 2006
From: advisories at computerterrorism.com (Computer Terrorism (UK) :: Incident Response Centre)
Subject: Microsoft Internet Explorer (mshtml.dll) - Remote
	Code Execution

Computer Terrorism  (UK) :: Incident Response Centre


Security Advisory :: CT22-03-2006
-------------------------------------------

Title:   Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution

Organisation:  Computer Terrorism (UK)
Web:   www.computerterrorism.com
Advisory Date:  22nd March, 2006


Affected Software:  Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity:    Critical
Impact:   Remote System Access
Solution Status:  ** UNPATCHED **


Overview:
-------------

Pursuant to the publication of the aforementioned bug/vulnerability, this 
document serves as a preliminary Security Advisory for users of Microsoft 
Internet Explorer version 6 and 7 Beta 2.
Successful exploitation will allow a remote attacker to execute arbitrary 
code against a fully patched Windows XP system, yielding system access with 
privileges of the underlying user.



Technical Narrative:
-------------------------

As per the publication, the bug originates from the use of a 
createTextRange() method, which, under certain circumstances, can lead to an 
invalid/corrupt table pointer dereference.
As a result, IE encounters an exception when trying to call a deferenced 
32bit address, as highlighted by the following sniplet of code.

0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
..
0x7D53C166 CALL DWORD PTR [ECX]

Due to the incorrect reference, ECX points to a very remote, non-existent 
memory location, causing IE to crash (DoS).

However, although the location is some what distant, history dictates that a 
condition of this nature is conducive towards reliable exploitation.


Proof of Concept:
-----------------------

Computer Terrorism (UK) can confirm the production of reliable proof of 
concept (PoC) for this vulnerability (tested on Windows XP SP2).
However, until a patch is developed, we will NOT be publicly disclosing our 
research.


Temporary Solution:
-------------------------

Users are advised to disable active scripting for non-trusted sites until a 
patch is released.


Vendor Status:
--------------------

The Vendor has been informed of all aspects of this new vulnerability 
(including PoC), but as of the date of the document, this vulnerability is 
UNPATCHED.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ