lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun Apr 23 02:12:42 2006
From: mattmurphy at (Matthew Murphy)
Subject: MSIE (mshtml.dll) OBJECT tag vulnerability

Hash: RIPEMD160

Michal Zalewski wrote:
> Perhaps not surprisingly, there appears to be a vulnerability in how
> Microsoft Internet Explorer handles (or fails to handle) certain
> combinations of nested OBJECT tags. This was tested with MSIE
> 6.0.2900.2180.xpsp.040806-1825 and mshtml.dll 6.00.2900.2873
> xpsp_sp2_gdr.060322-1613.
> At first sight, this vulnerability may offer a remote compromise vector,
> although not necessarily a reliable one. The error is convoluted and
> difficult to debug in absence of sources; as such, I cannot offer a
> definitive attack scenario, nor rule out that my initial diagnosis will be
> proved wrong [*]. As such, panic, but only slightly.

On my XP SP2 box, your fourth example produces bizarre results.
FrontPage and Visual Studio survive it and appear to render it
semi-correctly.  Word renders it as plain text.  IE faults in mshtml.dll
with the null-pointer behavior you specified earlier.  However, *WINDOWS
EXPLORER* crashes in a very much exploitable way with what appears to be
a call through an uninitialized function pointer.

You end up with a function pointer being pulled from random places, so
sometimes it's exploitable and sometimes it isn't, but it seems like
this exploit interacts very differently with the shell than it does with
IE proper.  Exploiting that may be a bit hard, because (to my
knowledge), there's no way to remotely launch the shell itself.  I will
keep researching this, but there's obviously something exploitable going
on here...

As such, I think the "Panic, but only slightly" assessment is very

Version: GnuPG v1.4.2 (MingW32)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3729 bytes
Desc: S/MIME Cryptographic Signature
Url :

Powered by blists - more mailing lists