SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft Internet Explorer createTextRange() Memory Error Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015812
SecurityTracker URL:  http://securitytracker.com/id/1015812
CVE Reference:   CVE-2006-1359   (Links to External Site)
Updated:  Mar 24 2006
Original Entry Date:  Mar 23 2006
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 6.0 and prior versions, 7 Beta 2
Description:   A vulnerability was reported in Microsoft Internet Explorer (IE) in 'mshtml.dll'. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger an invalid table pointer dereference and potentially execute arbitrary code.

The vulnerability can be triggered by the createTextRange() method.

Computer Terrorism (UK) reported this vulnerability. Joshua Heyer discovered this vulnerability.

A demonstration exploit (that causes the browser to crash) is available at:

http://www.shog9.com/crashIE.html

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
Solution:   No solution was available at the time of this entry.

The vendor has confirmed the vulnerability in the following advisory:

http://www.microsoft.com/technet/security/advisory/917077.mspx

The vendor indicates that, as a temporary workaround, you can disable Active Scripting.

The vendor indicates that the new refresh of the IE7 Beta 2 Preview available on March 20, 2006 is not affected.

Vendor URL:  www.microsoft.com/technet/security/advisory/917077.mspx (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 11 2006 (Vendor Issues Fix) Microsoft Internet Explorer createTextRange() Memory Error Lets Remote Users Execute Arbitrary Code
Microsoft has issued a fix.



 Source Message Contents

Date:  Wed, 22 Mar 2006 15:33:26 -0000
Subject:  [Full-disclosure] Microsoft Internet Explorer (mshtml.dll) - Remote

Computer Terrorism  (UK) :: Incident Response Centre


Security Advisory :: CT22-03-2006
-------------------------------------------

Title:   Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution

Organisation:  Computer Terrorism (UK)
Web:   www.computerterrorism.com
Advisory Date:  22nd March, 2006


Affected Software:  Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity:    Critical
Impact:   Remote System Access
Solution Status:  ** UNPATCHED **


Overview:
-------------

Pursuant to the publication of the aforementioned bug/vulnerability, this 
document serves as a preliminary Security Advisory for users of Microsoft 
Internet Explorer version 6 and 7 Beta 2.
Successful exploitation will allow a remote attacker to execute arbitrary 
code against a fully patched Windows XP system, yielding system access with 
privileges of the underlying user.



Technical Narrative:
-------------------------

As per the publication, the bug originates from the use of a 
createTextRange() method, which, under certain circumstances, can lead to an 
invalid/corrupt table pointer dereference.
As a result, IE encounters an exception when trying to call a deferenced 
32bit address, as highlighted by the following sniplet of code.

0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
..
0x7D53C166 CALL DWORD PTR [ECX]

Due to the incorrect reference, ECX points to a very remote, non-existent 
memory location, causing IE to crash (DoS).

However, although the location is some what distant, history dictates that a 
condition of this nature is conducive towards reliable exploitation.


Proof of Concept:
-----------------------

Computer Terrorism (UK) can confirm the production of reliable proof of 
concept (PoC) for this vulnerability (tested on Windows XP SP2).
However, until a patch is developed, we will NOT be publicly disclosing our 
research.


Temporary Solution:
-------------------------

Users are advised to disable active scripting for non-trusted sites until a 
patch is released.


Vendor Status:
--------------------

The Vendor has been informed of all aspects of this new vulnerability 
(including PoC), but as of the date of the document, this vulnerability is 
UNPATCHED.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC