Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

MSIE (mshtml.dll) OBJECT tag vulnerability revealed

From: <mephistodreaming () hush com>
Date: Wed, 03 May 2006 23:43:14 -0500
Greetings Full Disclosure.

I am surprised that nobody has yet understood the Internet Explorer 
vulnerability, to the extent that at last I have arrived upon the 
decision to impart my knowledge. The next paragraphs will describe 
the vulnerability in full. N. B. These facts have been known in 
subtler circles from the beginning.

All have witnessed the NULL dereference but this has been the 
extent of investigation to this day. The condition is caused in 
CStyleSheet::ChangeStatus by lacking a check of the return status 
of CStyleSheetArray::AddStyleSheet inside CStyleElement::Notify. As 
such, a CStyleSheet is provided to CStyleSheet::ChangeStatus 
wherein the pointer at CStyleSheet+0x28 retains NULL. This is 
caused by a restriction inherent within 
CStyleSheetArray::AddStyleSheet whereby an excess of 31 
CStyleSheets are added to a CStyleSheetArray. The importance of 
OBJECT tags is minor but here it causes CStyleSheets in excess of 
31 (corresponding to STYLE tags nested within an OBJECT) to be 
added and fail. Doubtlessly the intrepid reader will become aware 
of tags besides OBJECT that produce likewise behaviour.

Exploitation ensues when the NULL pointer is accessed within the 
confines of exception handling. High in the lofty call stack 
CElement::Inject has instantiated a class instance of 
CMarkupPointer that will become conjoined to the document state 
preceeding the NULL pointer. Higher still is the exception handler 
to which the stack will regress upon the fault. As such, this 
CMarkupPointer becomes then undefined, however it will be used 
again (by CMarkupPointer::SetMarkup) after it is awash in the data 
of later procedure calls that come and have gone. I leave it as an 
exercise to the reader to achieve exception handling. One has 
mentioned the Explorer process and therein he is correct though be 
it a lesser example. The capable reader too can reliably expose a 
data borne vector of instilling the memory of the eradicated 
CMarkupPointer.

More knowledge will proceed if nobody proves fit to bear the torch.
-MD



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: