lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200604240340.k3O3eRCh076495@mailserver2.hushmail.com>
Date: Mon Apr 24 04:40:37 2006
From: 0x80 at hush.ai (0x80@...h.ai)
Subject: MSIE (mshtml.dll) OBJECT tag vulnerability

OH NOES!

Paul Nickerson doesn't approve.  Who the fuck is Paul Nickerson?  
Better yet who cares.




On Sun, 23 Apr 2006 17:34:02 -0700 Paul Nickerson 
<pvnick@...il.com> wrote:
>Confirmed on IE 7 beta 2 on Windows XP SP2
>
>For the record, I don't approve of your disclosure practices, Mr. 
>Zalewski,
>but good work none-the-less.
>
>Paul
>
>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk
>[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of 
>Ben Lambrey
>Sent: Sunday, April 23, 2006 12:17 PM
>To: full-disclosure@...ts.grok.org.uk
>Subject: Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag 
>vulnerability
>
>On Sunday 23 April 2006 01:30, Michal Zalewski wrote:
>> Perhaps not surprisingly, there appears to be a vulnerability in 

>how
>> Microsoft Internet Explorer handles (or fails to handle) certain
>> combinations of nested OBJECT tags. This was tested with MSIE
>> 6.0.2900.2180.xpsp.040806-1825 and mshtml.dll 6.00.2900.2873
>> xpsp_sp2_gdr.060322-1613.
>>
>> At first sight, this vulnerability may offer a remote compromise 

>vector,
>> although not necessarily a reliable one. The error is convoluted 

>and
>> difficult to debug in absence of sources; as such, I cannot 
>offer a
>> definitive attack scenario, nor rule out that my initial 
>diagnosis will be
>> proved wrong [*]. As such, panic, but only slightly.
>>
>> Probably the easiest way to trigger the problem is as follows:
>>
>>   perl -e '{print "<STYLE></STYLE>\n<OBJECT>\nBork\n"x32}' 
>>test.html
>>
>> ...this will (usually) cause a NULL pointer + fixed offset 
>(eax+0x28)
>> dereference in mshtml.dll, the pointer being read from allocated 

>but still
>> zeroed memory region.
>>
>> The aforementioned condition is not exploitable, but padding the 

>page with
>> preceeding OBJECT tag (and other tags), increasing the number of 

>nested
>> OBJECTs, and most importantly, adding bogus 'type=' parameters 
>of various
>> length to the final sequence of OBJECTs, will cause that 
>dereference to
>> become non-NULL on many installations; then, a range of other 
>interesting
>> faults should ensue, including dereferences of variable bogus 
>addresses
>> close to stack, or crashes later on, when the page is reloaded 
>or closed.
>>
>> [ In absence of sources, I do not understand the precise 
>underlying
>>   mechanics of the bug, and I am not inclined to spend hours 
>with a
>>   debugger to find out. I'm simply judging by the symptoms, but 
>these
>>   seem to be indicative of an exploitable flaw. ]
>>
>> Several examples of pages that cause distinct faults in my setup 

>(your
>> mileage may and probably WILL vary; on three test machines, this 

>worked as
>> described; on one, all examples behaved in non-exploitable 0x28 
>way):
>>
>>   http://lcamtuf.coredump.cx/iedie2-1.html (eax=0x0, instant 
>dereference)
>>   http://lcamtuf.coredump.cx/iedie2-2.html (bogus esi on 
>reload/leave)
>>   http://lcamtuf.coredump.cx/iedie2-3.html (page fault on 
>browser close)
>>   http://lcamtuf.coredump.cx/iedie2-4.html (bogus esi on 
>reload/leave)
>>
>> Well, that's it. Feel free to research this further. This 
>vulnerability,
>> as requested by customers, is released in strict observance of 
>the Patch
>> Wednesday & Bug Saturday policy.
>
>IE 6 on Windows 2003+SP1 also crashes.
>
>IE version: 6.0.3790.1830
>mshtml.dll version 6.0.3790.2666
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>-- 
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.385 / Virus Database: 268.4.5/322 - Release Date: 
>4/22/2006
> 
>
>-- 
>No virus found in this outgoing message.
>Checked by AVG Free Edition.
>Version: 7.1.385 / Virus Database: 268.4.5/322 - Release Date: 
>4/22/2006
> 
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ