<p>Disclaimer:<br> The information in this email is distributed WITHOUT ANY WARRANTY, TO THE<br> EXTENT PERMITTED BY APPLICABLE LAW; without even the implied warranty of<br> CORRECTNESS or FITNESS FOR A PARTICULAR PURPOSE. You know the drill...
</p>
<p>Affected products:<br> Various COM objects when loaded in Microsoft Internet Explorer.</p>
<p>Extend:<br> DoS and remote arbitrary code execution.</p>
<p>Patches:<br> MS05-037 and MS05-38<br> See below for additional killbit.<br>Exploits:<br> Internet Exploiter 4 will not be released to the public in the near future.<br> Public exploits based on Internet Exploiter have been written by third
<br> parties for a number of affected objects. They are available on the net<br> from various sources.</p>
<p>Short description:<br> A number of issues have been reported lately by various sources about<br> Internet Explorer vulnerabilities in relation to specific COM objects.<br> Research has shown that the root cause is the fact that these COM objects
<br> are not designed to be loaded in IE at all. These objects therefore make<br> wrongful assumptions about the state of the process they are loaded into,<br> specifically about the contents of heap memory. This can be abused to
<br> uncover unwanted features, like the ability to run arbitrary code on a<br> victims machine.<br> <br>Short History:<br> On June 24th 2002 <a href="mailto:'ken'@FTU">'ken'@FTU</a> reported a NULL-pointer exception in IE when
<br> loading a specific COM object. The object was mmsys.cpl which uses<br> clsid:{00022613-0000-0000-C000-000000000046}. The issue was discarded as<br> a low impact DoS.</p>
<p> On April 18th 2005, Further research revealed that this was in fact a<br> problem with the COM object reusing previously freed memory without<br> initialising it. Part of the reused memory was used as a function pointer.
<br> Careful allocating and freeing of memory prior to loading the object<br> allowed remote code execution on Win2K. Internet Exploiter 4 was born.<br> (This vulnerability does NOT seem to be exploitable on WinXPSP2, as claimed
<br> by FrSIRT in their MS05-038 exploit)<br> On June 17th 2005, Bernhard Müller and Martin Eiszner found a similar issue<br> when loading javaprxy.dll and released their information to the public.<br> <br> On July 2nd, August 9th and August 17th 2005, FrSIRT released shamelessly
<br> ripped code that claims to exploit a number of these objects. While failing<br> to work on most occasions through lack of finesse, it does prove that even<br> script-kiddies can easily write exploits by copy-pasting my Internet
<br> Exploiter heap spraying code. It takes so little effort that it might<br> actually cost you more time to add proper credits to the original author<br> of the code.</p>
<p>Solution:<br> I've been working with the Internet Explorer team on short term and long<br> term solutions. The latest patch (MS05-038) will "killbit" a number of<br> objects that were found to have issues when loaded in IE. These killbits
<br> prevent exploits from loading these objects and abusing this vulnerability.</p>
<p> The latest exploit by FrSIRT targets "msdss.dll" with clsid <br> EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F, which is not killbitted by ms05-038.<br> I was unable to reproduce the vulnerability with version
7.10.3077.0 of the<br> dll; the object doesn't even crash. From what I've heard everybody else <br> seems to be unaffected too, so maybe it's just a local .fr thing.<br> Just in case, here's a .reg file you can use to killbit this control;
<br> Create a new .txt file, copy+paste this into it, rename it to .reg, double<br> click it and say "yes, I want to add it to the registry."<br> !!! Lines may wrap, you might have to remove the extra line-breaks !!!
<br>---- cut here ----<br>Windows Registry Editor Version 5.00</p>
<p>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}]<br>"Compatibility Flags"=dword:00000400<br>---- cut here ----<br> If you want to test if it works, here's a .html file that will show you;
<br> Create a new .txt file, copy+paste this into it, rename it to .html, double<br> click and it will tell you if you are safe (the object cannot be loaded)<br> or if you might be vulnerable to this attack (the object can be loaded):
<br>---- cut here ---<br><OBJECT<br> onreadystatechange="document.write('<I>Possibly</I> Vulnerable...');"<br> onerror="document.write('You should be safe!');"<br> classid="clsid:{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}"
<br>></OBJECT><br>---- cut here ---<br> <br>Greets:<br> <a href="mailto:Paul@greyhats">Paul@greyhats</a>, <a href="mailto:st0ke@milworm">st0ke@milworm</a>, 0dd, 0x4553, l33tsecurity, NGS.<br> <br>Anti-Greets:<br>
FrSIRT (I thought I was special, turns out they rip-off everybody's code!)<br> <br>Cheers,<br>SkyLined</p>