Microsoft IE mshtml.dll Multiple Script Action Handler Overflow
Microsoft IE mshtml.dll Multiple Script Action Handler OverflowOSVDB ID: 23964
Disclosure Date: Mar 16, 2006
Description:
Remote overflow exists in Microsoft Internet Explorer. The product fails to properly check bounds for handling HTML tags with multiple event handlers resulting in a buffer overflow. With a specially crafted HTML document, an attacker can cause affected web browsers to crash or remote code execution resulting in a loss of integrity, and/or availability.
Vulnerability Classification:
Remote/Network Access Required
Denial Of Service Attack
Input Manipulation
Loss Of Integrity
Loss Of Availability
Exploit Available
Verified
Products:
Microsoft Corporation Internet Explorer 6.0 SP2
Microsoft Corporation Internet Explorer 7.0 beta 2
Microsoft Corporation Internet Explorer 7.0 beta 1
Solution:
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Manual Testing Notes:
The following HTML content demonstrates this issue by crashing the browser:
<script>
for(s='<a onclick=',i=0;i<8||(document.write(s+'>'));i++)s+=s;
</script>
External References:
Snort Signature ID: http://www.snort.org/pub-bin/sigs.cgi?sid=100000238
CVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1245
National Vulnerability Database: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1245
Bugtraq ID: http://www.securityfocus.com/bid/17131
Microsoft Security Bulletin: http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx
Generic Exploit URL: http://lcamtuf.coredump.cx/iedie.html
ISS X-Force ID: http://xforce.iss.net/xforce/xfdb/25292
Secunia Advisory ID: http://secunia.com/advisories/18957
Secunia Advisory ID: http://secunia.com/advisories/19269
Microsoft Knowledge Base Article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;912812
Other Solution URL: http://snort.org/rules/advisories/ie-issue-js-v2.txt
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0303.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0304.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0310.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0325.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0048.html
Security Tracker: http://securitytracker.com/id?1015794
Credit:
Michal Zalewski (lcamtuf@dione.ids.pl) - Personal page (http://lcamtuf.coredump.cx/)
<< Home