BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| MS IE "window()" Code Execution Vulnerability
said by »www.frsirt.com/english/advisories/2005/2509 : Advisory ID : FrSIRT/ADV-2005-2509 CVE ID : CVE-2005-1790 Rated as : Critical Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2005-11-21 Technical Description A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to the JavaScript "window()" object and the "body onload" tag, which could be exploited remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page. This vulnerability has been confirmed on Windows XP SP2 with Internet Explorer 6 (fully patched). Exploits » www.frsirt.com/exploits/20051121···0day.phpAffected Products Microsoft Internet Explorer 6 SP1 on Microsoft Windows XP SP2 Microsoft Internet Explorer 6 for Microsoft Windows XP SP1 Microsoft Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4 Microsoft Internet Explorer 6 SP1 on Microsoft Windows 2000 SP4 Solution The FrSIRT is not aware of any official supplied patch for this issue. Disable Active Scripting in Internet Explorer : 1. Start Internet Explorer. 2. On the Tools menu, click Internet Options. 3. On the Security tab, click Custom Level. 4. In the Settings box, click Disable under Active scripting. 5. Click OK, and then click OK. References » www.frsirt.com/english/advisories/2005/2509» www.frsirt.com/english/reference/1111Credits Vulnerability originally reported by Benjamin Tobias Franz and exploited by Stuart Pearson ChangeLog 2005-11-21 : Original Advisory
--
Captain of the ATU Tux Racer Clan. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | Thanks!
Cudni |
|
ksw_92
join:2001-05-13
La Verne, CA | reply to BeesTea
It's up in the SANS diary page as well: »isc.sans.org/diary.php?storyid=874 |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to BeesTea
This must be something like Javascript vulnerability # 98 992. Turning the whole thing off no matter what your browser certainly seems like a good precaution.
--
Want security? Run as limited user. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to BeesTea
from Sans link
"..
Mitigation:
Turn off javascript, ..."
as additional advice to be added to first. But we all have both Java, JavaScript, and Activex disabled in all zones except Trusted one anyway now don't we 
Cudni
--
.. ....nothing but a well informed optimistHelp yourself so God can help you |
|
pandora
Premium
join:2001-06-01
Outland
 ·ooma
·Future Nine Corpor..
 ·Comcast
| reply to BeesTea
It's stuff like this with IE and FireFox which pushed me to Opera, and I've never looked back. There seems to be a new critical bug every week between Microsoft and Mozilla.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | alas, no magic bullet, no magic browser only a clever user can help mitigate vulnerabilities
Cudni
--
.. ....nothing but a well informed optimistHelp yourself so God can help you |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | reply to BeesTea
Cool, so there is exploit code already available that I can copy and paste into a webpage and exploit people who don't patch?
Even though the PoC isn't meant for Firefox, IE and FF get pretty much the same result and both become unresponsive. Neither launch calc.exe.
Of course if it did affect FF too, it would be purposely hidden in their BugZilla database...
--
Microsoft Windows 2000/XP Security: Some Assembly Required. |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| said by redxii  :Of course if it did affect FF too, it would be purposely hidden in their BugZilla database... As opposed to being on the front page of their site like Microsoft right?
--
Captain of the ATU Tux Racer Clan. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | "This is a security problem that should be kept confidential until addressed (see the mozilla.org security policy for more details)." in the bugzilla form. "not to post descriptions of exploits in public forums like newsgroups, and..."
--
Microsoft Windows 2000/XP Security: Some Assembly Required. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| Doesn't MS, or Oracle or Cisco or... ask for same?
»www.microsoft.com/technet/securi···icy.mspx
Cudni
--
.. ....nothing but a well informed optimistHelp yourself so God can help you |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000 | reply to redxii
And.. Microsoft is different how ?
You're going to need to come up with better ammo to bash Mozilla with that that, sorry.
--
Captain of the ATU Tux Racer Clan. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| I'm not bashing Mozilla, i'm just surprised how fast people come out with MS exploit code but somehow for others it seems to be more contained.
--
Microsoft Windows 2000/XP Security: Some Assembly Required. |
|
SvS
join:2001-04-15
Germany
| reply to redxii
said by redxii :Even though the PoC isn't meant for Firefox, IE and FF get pretty much the same result and both become unresponsive. Neither launch calc.exe. Before this thread gets filled up with the usual Microsoft vs. Mozialla bla bla and which product may be best in stopping exploits like this, was anyone actually able to make the POC code work? |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| said by SvS :which product may be best in stopping exploits like this One incapable of scripting, only viewing static HTML.
--
Microsoft Windows 2000/XP Security: Some Assembly Required. |
|
pog
Premium
join:2004-06-03
Kihei, HI
 ·Hawaiian Telcom
| said by redxii :said by SvS :which product may be best in stopping exploits like this One incapable of scripting, only viewing static HTML. Without scripting these days, my guess is that half the websites I discover on a daily basis would not function... heh... half of these weren't worth visiting in the first place but still, I don't think the average person will think disabling scripting is a viable option. |
|
matunga
join:2003-07-26 | JavaScript prompt box is blocked by IE6 SP2 with pop-up blocker level set to high |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | reply to pog
Average person doesn't have to disable scripting everywhere but needs to be more discerning where scripting is allowed.
Cudni
--
.. ....nothing but a well informed optimistHelp yourself so God can help you |
|
prana
join:2005-03-22
Australia
1 edit | I am interested to know if this exploit has worked for anyone ? I received a segmentation fault with error c0000005 so there is definitely an underlying issue. However , instead of ECX getting the address of the OBJECT, EAX had the addr and EIP was pointed to NULL.
quote:
00231A6C 5B 00 6F 00 62 00 6A 00 65 00 63 00 74 00 5D 00 [.o.b.j.e.c.t.].
00231A7C 00 00 ...
Please post your results if you bothered to test, and your browser settings |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| said by prana :I am interested to know if this exploit has worked for anyone ? I received a segmentation fault with error c0000005 so there is definitely an underlying issue. However , instead of ECX getting the address of the OBJECT, EAX had the addr and EIP was pointed to NULL. quote:
00231A6C 5B 00 6F 00 62 00 6A 00 65 00 63 00 74 00 5D 00 [.o.b.j.e.c.t.].
00231A7C 00 00 ...
Please post your results if you bothered to test, and your browser settings I've not messed with it for very long but I haven't been able to get it to work. I cleaned up some obvious errors which resulted from the way it was posted and subsequently copied and pasted by me but it still doesn't work. I get the JS error "'document.getElementById(...).rows.7.cells' is null or not an object.". Must be something I missed. I'll keep playing with it as I find the time.
Oh yeah! I'm Feeling Careless. 
--
Get hpHOSTS! Member ASAP
The Bush Era is over. The Bush Error is not. |
|
