Thread-topic: iDefense Security Advisory 06.13.06: Microsoft Internet Explorer ART File Heap Corruption Vulnerability
> -----Original Message-----
> From: labs-no-reply [mailto:labs-no-reply@xxxxxxxxxxxx]
> Sent: Tuesday, June 13, 2006 10:06 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx;
> full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: iDefense Security Advisory 06.13.06: Microsoft
> Internet Explorer ART File Heap Corruption Vulnerability
>
> Microsoft Internet Explorer ART File Heap Corruption Vulnerability
>
> iDefense Security Advisory 06.13.06
>
> June 13, 2006
>
> I. BACKGROUND
>
> Internet Explorer is the web browser included in Microsoft Corp.'s
> Windows products.
>
> II. DESCRIPTION
>
> Remote exploitation of a heap corruption vulnerability in Microsoft
> Corp.'s Internet Explorer allows attackers to execute arbitrary code.
>
>
> Internet Explorer supports Johnson-Grace compressed images, or .art
> files. Johnson-Grace developed this technology in 1991. In 1994,
> American Online Inc. began using the technology and, in 1996,
> purchased
> the company to secure rights to it. It is now licensed to
> Microsoft for
> usage in Internet Explorer by way of the jgdw400.dll
> dynamically linked
> library, which is copyrighted by AOL.
>
> The vulnerability specifically exists due to improper parsing of a
> malformed .art file during rendering. With a carefully crafted .art
> file, it is possible to overwrite portions of the heap with static
> values from a file independent table in memory. Although this
> typically
> would be somewhat limiting from an exploitation standpoint,
> in this case
> an attacker can utilize large images or JavaScript to fill the heap so
> that these static values reliably point into controlled
> regions. Because
> there are an abundance of function pointers on the heap that
> an attacker
> may smash, heap integrity checks are not effective in preventing
> exploitation.
>
> III. ANALYSIS
>
> Successful exploitation of this vulnerability allows attackers to
> execute arbitrary code with the privileges of the currently logged-on
> user. iDefense Labs analysis has shown that exploitation can be as
> reliable as 75 percent with the current exploitation method.
> Upon failed
> exploitation attempts, the system may become slow or
> unresponsive due to
> the method employed by the exploit to fill memory in order to
> facilitate
> an exploitable memory state.
>
> It should be noted that hardware data execution prevention (DEP) will
> prevent exploitation from occurring by the iDefense Labs-maintained
> exploit code. This is a result of the payload executing on the heap,
> which is marked writable and thus not executable.
>
> It should also be noted that the file does NOT need to have an .art
> extension to be rendered by the vulnerable library. Any
> extension can be
> used, provided the image is loaded via an IMG SRC tag in an HTML
> document in Internet Explorer.
>
> IV. DETECTION
>
> iDefense has confirmed that the following Microsoft products are
> affected in default configurations:
>
> Windows XP
> Windows XP SP1
> Windows XP SP2
> Windows 2003
> Windows 2003 SP1
>
> iDefense has confirmed that the following Microsoft products are
> affected when recommended Windows feature updates have been installed:
>
> Windows 2000 SP4
>
> To determine if a Windows 2000 system is affected, check for the
> existence of the file jgdw400.dll on the system. If the file
> exists, the
> system is affected.
>
> V. WORKAROUND
>
> iDefense has developed the following workaround, which has not
> demonstrated any impairment to the system in testing. However, as this
> is not a vendor-supplied workaround, it should be tested thoroughly
> before being applied to a production environment. Remove the following
> dynamically linked libraries from:
>
> C:\windows\system32\jgpl400.dll
> C:\windows\system32\jgdw400.dll
> C:\windows\system32\jgaw400.dll
> C:\windows\system32\jgsd400.dll
> C:\windows\system32\jgmd400.dll
> C:\windows\system32\jgsh400.dll
>
> This will effectively disable the viewing of all .ART files
> on the system.
>
> VI. VENDOR RESPONSE
>
> The vendor security advisory and appropriate patches are available at:
>
>
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CAN-2006-2378 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 02/07/2006 Initial vendor notification
> 02/07/2006 Initial vendor response
> 06/13/2006 Coordinated public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2006 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>
>
