Full Disclosure mailing list archives
Re: MSIE (mshtml.dll) OBJECT tag vulnerability
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Sat, 22 Apr 2006 20:13:54 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Michal Zalewski wrote:
Perhaps not surprisingly, there appears to be a vulnerability in how Microsoft Internet Explorer handles (or fails to handle) certain combinations of nested OBJECT tags. This was tested with MSIE 6.0.2900.2180.xpsp.040806-1825 and mshtml.dll 6.00.2900.2873 xpsp_sp2_gdr.060322-1613. At first sight, this vulnerability may offer a remote compromise vector, although not necessarily a reliable one. The error is convoluted and difficult to debug in absence of sources; as such, I cannot offer a definitive attack scenario, nor rule out that my initial diagnosis will be proved wrong [*]. As such, panic, but only slightly.
On my XP SP2 box, your fourth example produces bizarre results. FrontPage and Visual Studio survive it and appear to render it semi-correctly. Word renders it as plain text. IE faults in mshtml.dll with the null-pointer behavior you specified earlier. However, *WINDOWS EXPLORER* crashes in a very much exploitable way with what appears to be a call through an uninitialized function pointer. You end up with a function pointer being pulled from random places, so sometimes it's exploitable and sometimes it isn't, but it seems like this exploit interacts very differently with the shell than it does with IE proper. Exploiting that may be a bit hard, because (to my knowledge), there's no way to remotely launch the shell itself. I will keep researching this, but there's obviously something exploitable going on here... As such, I think the "Panic, but only slightly" assessment is very reasonable. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38 iD8DBQFEStTSfp4vUrVETTgRA9woAKCApz7FDYUfAL0X8l3GfAe+uwfQwwCeNQ9o Y5CWb8dMUrqnZ7s404SxSDM= =yrs6 -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 22)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Matthew Murphy (Apr 22)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Ben Lambrey (Apr 23)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Paul Nickerson (Apr 23)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability KF (lists) (Apr 23)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Michal Zalewski (Apr 24)
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability Paul Nickerson (Apr 23)
- <Possible follow-ups>
- RE: MSIE (mshtml.dll) OBJECT tag vulnerability 0x80 (Apr 23)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability ipatches (Apr 24)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Sol Invictus (Apr 24)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Dave "No, not that one" Korn (Apr 25)
- Re: Re: MSIE (mshtml.dll) OBJECT tag vulnerability Valdis . Kletnieks (Apr 25)
- Re: Re: MSIE (mshtml.dll) OBJECT tag vulnerability Raoul Nakhmanson-Kulish (Apr 25)
- Re: MSIE (mshtml.dll) OBJECT tag vulnerability Sol Invictus (Apr 24)