[<prev] [next>] [day] [month] [year] [list]
Message-ID: <009a01c95a56$6d26b3b0$47741b10$@moore@insomniasec.com>
Date: Wed, 10 Dec 2008 12:32:33 +1300
From: "Brett Moore" <brett.moore@...omniasec.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Insomnia : ISVA-081209.1 - IE Webdav Request
Parsing Heap Corruption Vulnerability
__________________________________________________________________
Insomnia Security Vulnerability Advisory: ISVA-081209.1
___________________________________________________________________
Name: IE Webdav Request Parsing Heap Corruption Vulnerability
Released: 09 December 2008
Vendor Link:
http://www.microsoft.com/
Affected Products:
Microsoft Internet Explorer 7 Running On Vista
Requires Office 2007
Original Advisory:
http://www.insomniasec.com/advisories/ISVA-081209.1.htm
Researcher:
Brett Moore, Insomnia Security
http://www.insomniasec.com
___________________________________________________________________
_______________
Description
_______________
A vulnerability was found in the way that webdav requests are
cached and then later retrieved by Internet Explorer. This results
in the use of uninitialized memory which under the right situation
can lead to command execution.
_______________
Details
_______________
When Internet Explorer loads a file from a webdav share, a copy of
the file is stored in
\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV
This copy is used as the cached version of the file, and is loaded
if a page refresh is done.
If the size of the requested file is larger that 190 characters then
the webdav handling service will not save it correctly.
Internet Explorer assumes that the file was stored, and is cached, so
when a refresh is done it attempts to load the file information from
the cached data.
This leads to a heap corruption with various values read that lead
to exploitable conditions.
_______________
Solution
_______________
Microsoft have released a security update to address this issue;
http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx
_______________
Legals
_______________
The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.
___________________________________________________________________
Insomnia Security Vulnerability Advisory: ISVA-081209.1
___________________________________________________________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists