Wednesday, October 15, 2008

Internet Explorer 6 componentFromPoint() remote memory disclosure and remote code execution

There is a bug in Internet Explorer 6 JavaScript implementation enabling remote memory disclosure and remote code execution. The vulnerability is caused by improper implementation of componentFromPoint() method of xml object.

The vulnerability

The vulnerability is triggered by errornous behavior of componentFromPoint() method when invoked on a newly created xml object.

Impact

This vulnerability can be used (trivially) to remotely disclose Internet Explorer's memory when a victim visits a specially crafted web page or (less trivially) to achieve remote code execution when a victim visits a specially crafted web page.

PoC

Due to the spread and the impact of the vulnerability, exploiting details will be released at a later date, once everyone has had plenty of time to patch.

References

http://www.zerodayinitiative.com/advisories/ZDI-08-069/
http://www.microsoft.com/technet/security/bulletin/MS08-058.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3475

Wednesday, September 10, 2008

Windows GDI+ GIF memory corruption

There is a memory corruption vulnerability in GIF file processing in Microsoft GDI+ that can be used to crash a vulnerable application and potentially execute arbitrary code.

The vulnerability

The vulnerability is caused due to improper handling of graphic control extension when processing malformed GIF files. The vulnerability can be triggered if a large number of extension markers (0x21) followed by unknown labels is found when processing a GIF file.

Impact

This vulnerability can be used to corrupt memory of any application utilizing GDI+ for GIF file decoding if it is used to open a malformed GIF file. This could lead to code execution with the privileges of the user running the vulnerable application.

References

http://www.zerodayinitiative.com/advisories/ZDI-08-056/
http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3013