There is a bug in Internet Explorer 6 JavaScript implementation
enabling remote memory disclosure and remote code execution. The
vulnerability is caused by improper implementation of
componentFromPoint() method of xml object.
The vulnerability is triggered by errornous behavior of
componentFromPoint() method when invoked on a newly created xml
object.
########
#Impact#
########
This vulnerability can be used (trivially) to remotely disclose
Internet Explorer's memory when a victim visits a specially crafted
web page or (less trivially) to achieve remote code execution when a
victim visits a specially crafted web page.
#####
#PoC#
#####
Due to the spread and the impact of the vulnerability, exploiting
details will be released at a later date, once everyone has had plenty
of time to patch.
enabling remote memory disclosure and remote code execution. The
vulnerability is caused by improper implementation of
componentFromPoint() method of xml object.
###################
#The vulnerability#
###################
The vulnerability is triggered by errornous behavior of
componentFromPoint() method when invoked on a newly created xml
object.
########
#Impact#
########
This vulnerability can be used (trivially) to remotely disclose
Internet Explorer's memory when a victim visits a specially crafted
web page or (less trivially) to achieve remote code execution when a
victim visits a specially crafted web page.
#####
#PoC#
#####
Due to the spread and the impact of the vulnerability, exploiting
details will be released at a later date, once everyone has had plenty
of time to patch.
############
#References#
############
http://ifsec.blogspot.com/2008/10/internet-explorer-6-componentfrompoint
.html
http://www.zerodayinitiative.com/advisories/ZDI-08-069/
http://www.microsoft.com/technet/security/bulletin/MS08-058.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3475
[ reply ]