SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer 'file://' URL Processing Flaw Lets Remote Users Damage the Registry
SecurityTracker Alert ID:  1010092
SecurityTracker URL:  http://securitytracker.com/id/1010092
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 7 2004
Impact:   Denial of service via network, Modification of system information
Exploit Included:  Yes  
Version(s): Tested on 6.0.2800
Description:   A denial of service vulnerability was reported in Microsoft Internet Explorer. A remote user can create HTML that will overwrite portions of the target user's registry.

Emmanouel Kellinis reported that a remote user can create HTML with a specially crafted onLoad and window.location redirect to trigger the flaw. If the redirect invokes a 'file://' URL with an arbitrary drive name specified in hexadecimal format, then IE will reportedly overwrite the ECX, EDX, and EDI registers with user-supplied information. As a result, IE will overwrite the registry,the report said.

The vendor has reportedly been notified.

Impact:   A remote user can create HTML that, when loaded by the target user, will cause the target user's registry to be partially overwritten.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Remote DoS IE Memory Access Violation


#########################################
Application:    Internet Explorer
Vendors:        http://www.microsoft.com
Version:         6.0.2800
Platforms:       Windows
Bug:               IE and MSN Messenger
                      Memory_Access_Violation
Risk:              Critical
Exploitation:   Remote with browser
Date:             07 May 2004
Author:          Emmanouel Kellinis
e-mail:           me@cipher(dot)org(dot)uk
web:              http://www.cipher.org.uk
List :              BugTraq(SecurityFocus)
#########################################


=======
Product
=======
A popular Web browser, created by Microsoft,
used to view pages on the World Wide Web.

===
Bug
===

Using onLoad and window.location method we can direct
internet explorer to open a specific connection,file
or webpage during the loading of lets say the < Body> of our html
code.
*(onLoad can be applied to almost any tag).

if we want to redirect the page to a file localy to the user/visitor
we use the file://c:\filename . Now , Instead of using a valid
drive name  we pass arbitary drive name using hexadecimal values.

e.g. \xff:\filename or we can pass instead of a filename hex values as well.

This abnormality overwrites 3 registers ECX EDX EDI . When we use
the  abnormal drive name we control the first 16bits of EDX and EDI.

When the webpage with the malicious code loads, the three registers
are overwritten and the impact of that is to corrupt the registry
with IE  Entries.

The assocation of html/htm pages with internet explorer do not work
and every shortcut of IE is not loading. Instead there is an error
popup saying: You cant access this file,path,drive. Permission
Denied. Noted that you dont have access to the temp directory as well.

MSN Messenger is effected by the Memory Access Violation and it is
crashing immediatelly after you login (sometimes the problem is fixed
after restarting).


Because of the nature of onload inside html tags there is a
possibility that firewalls wont detect it as Javascript and they will
let it load. (Mine didn't)

=====================
Proof Of Concept Code
=====================
Can be constructed out of the previous statements
Proof of concept Posted to vendor.





=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC