Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution
2006-03-29 10:54
579 查看
Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution
From: advisories@xxxxxxxxxxxxxxxxxxxxxDate: 22 Mar 2006 16:19:54 -0000
Computer Terrorism (UK) :: Incident Response Centre
======================================
Security Advisory :: CT22-03-2006
-------------------------------------------
Title: Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution
Organisation: Computer Terrorism (UK)
Web: www.computerterrorism.com
Advisory Date: 22nd March, 2006
Affected Software: Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity: Critical
Impact: Remote System Access
Solution Status: ** UNPATCHED **
Overview:
-------------
Pursuant to the publication of the aforementioned bug/vulnerability, this document serves as a preliminary Security Advisory for users of Microsoft Internet Explorer version 6 and 7 Beta 2.
Successful exploitation will allow a remote attacker to execute arbitrary code against a fully patched Windows XP system, yielding system access with privileges of the underlying user.
Technical Narrative:
-------------------------
As per the publication, the bug originates from the use of a createTextRange() method, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference.
As a result, IE encounters an exception when trying to call a deferenced 32bit address, as highlighted by the following sniplet of code.
0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
..
0x7D53C166 CALL DWORD PTR [ECX]
Due to the incorrect reference, ECX points to a very remote, non-existent memory location, causing IE to crash (DoS). However, although the location is some what distant, history dictates that a condition of this nature is conducive towards reliable exploitation.
Proof of Concept:
-----------------------
Computer Terrorism (UK) can confirm the production of reliable proof of concept (PoC) for this vulnerability (tested on Windows XP SP2). However, until a patch is developed, we will NOT be publicly disclosing our research.
Temporary Solution:
-------------------------
Users are advised to disable active scripting for non-trusted sites until a patch is released.
Vendor Status:
--------------------
The Vendor has been informed of all aspects of this new vulnerability (including PoC), but as of the date of the document, this vulnerability is UNPATCHED.
相关文章推荐
- Microsoft Internet Explorer (mshtml.dll) Remote Code Execution
- Microsoft Internet Explorer DBCS Remote Memory Corruption Vulnerability
- Microsoft WINS Remote Code Execution Exploit (MS04-045)
- Microsoft Office SharePoint Server 2007 Remote Code Execution
- Microsoft Office Multiple Remote Code Execution Vulnerabilities (MS06-012)
- 解决WinForm应用中引用“mshtml”出现“强名称签名对程序集 Microsoft.mshtml.dll 无效”
- ElasticSearch Remote Code Execution (CVE-2014-3120)
- Dynamics CRM2016 Supported versions of Internet Explorer and Microsoft Edge
- MICROSOFT INTERNET EXPLORER 128 位高加密功能软件组件
- Microsoft Internet Explorer 信息泄露漏洞
- Microsoft Internet Explorer 多个不明细节远程代码执行漏洞
- 在VS2010中F5调试Silverlight程序时,提示“无法启动调试,找不到Microsoft Internet Explorer”
- SAP MaxDB versions 7.6.03 suffer from a pre-authentication remote code execution vulnerability.
- F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution
- CVE-2014-6283: Privilege Escalation Vulnerability and Potential Remote Code Execution in SAP Adaptiv
- Remote Code Execution as System User on Android 5 Samsung Devices abusing WifiCredService (Hotspot 2
- Microsoft Internet Explorer 内存破坏漏洞(CVE-2013-3193)(MS13-059)
- Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution
- MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability