Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution

Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution



Computer Terrorism (UK) :: Incident Response Centre
======================================


Security Advisory :: CT22-03-2006
-------------------------------------------


Title: Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution

Organisation: Computer Terrorism (UK)
Web: www.computerterrorism.com
Advisory Date: 22nd March, 2006


Affected Software: Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity: Critical
Impact: Remote System Access
Solution Status: ** UNPATCHED **


Overview:
-------------

Pursuant to the publication of the aforementioned bug/vulnerability, this document serves as a preliminary Security Advisory for users of Microsoft Internet Explorer version 6 and 7 Beta 2.

Successful exploitation will allow a remote attacker to execute arbitrary code against a fully patched Windows XP system, yielding system access with privileges of the underlying user.



Technical Narrative:
-------------------------

As per the publication, the bug originates from the use of a createTextRange() method, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference.

As a result, IE encounters an exception when trying to call a deferenced 32bit address, as highlighted by the following sniplet of code.

0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
..
0x7D53C166 CALL DWORD PTR [ECX]

Due to the incorrect reference, ECX points to a very remote, non-existent memory location, causing IE to crash (DoS). However, although the location is some what distant, history dictates that a condition of this nature is conducive towards reliable exploitation.


Proof of Concept:
-----------------------

Computer Terrorism (UK) can confirm the production of reliable proof of concept (PoC) for this vulnerability (tested on Windows XP SP2). However, until a patch is developed, we will NOT be publicly disclosing our research.



Temporary Solution:
-------------------------

Users are advised to disable active scripting for non-trusted sites until a patch is released.


Vendor Status:
--------------------

The Vendor has been informed of all aspects of this new vulnerability (including PoC), but as of the date of the document, this vulnerability is UNPATCHED.



  •  
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值