SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
(MS03-040 Still Vulnerable) Re: Microsoft Internet Explorer Object Tag Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007897
SecurityTracker URL:  http://securitytracker.com/id/1007897
CVE Reference:   CAN-2002-0532   (Links to External Site)
Updated:  Oct 8 2003
Original Entry Date:  Oct 8 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.01, 5.5, 6.0
Description:   A vulnerability was reported in Microsoft Internet Explorer (IE) in the processing of a certain object type. A remote user can cause arbitrary code to be executed on the target user's computer.

It was originally reported that IE does not properly determine an object type returned from a web server. A remote user can create HTML that, when loaded, will cause arbitrary code to be executed on a target user's system. According to the report, IE does not properly validate a certain parameter in an HTTP response. The response can point to a specific type of file to cause an object to be scripted and executed.

Microsoft credited eEye Digital Security with reporting the flaw.

After issuing MS03-032 to ostensibly fix the flaw, it was reported that the patch did not fix certain dynamic HTML variants of the flaw [see Alert ID 1007658]. IE reportedly does not properly validate a certain object type provided by a web server during XML data binding (CVE: CAN-2003-0809). IE reportedly also does not validate a certain object type processed in a pop-up window (CVE: CAN-2003-0838). Both of these variants permit a remote user to create HTML that, when loaded by the target user, will cause arbitrary code to be executed on the target user's computer with the privileges of the target user.

After issuing MS03-040 to ostensibly fix the remaining flaws, Mindwarper reported that IE is still vulnerable. A demonstration exploit is available at:

http://mindlock.bestweb.net/wmp.htm
Impact:   A remote user can create HTML that, when loaded, will cause arbitrary code to be executed on the target user's computer with the privileges of the target user.
Solution:   Microsoft issued patches. However, it is reported that the patches do not fully correct the problem.

The following patches are available:

For all versions except Microsoft Internet Explorer 6.0 for Windows Server 2003:

http://www.microsoft.com/windows/ie/downloads/crit ical/828750/default.asp

For Microsoft Internet Explorer 6.0 for Windows Server 2003:

http://www.microsoft.com/windows/ie/downloads/critical/828750s/default.asp


The appropriate patches can be installed on IE 5.01 running on Windows 2000 SP3 or SP4 systems, on IE 5.5 SP2, and IE 6.0 Gold or IE 6.0 SP1.

Microsoft plans to include the fix in Windows 2000 SP5, Windows XP SP2 and Windows Server 2003 SP1.

A reboot is required applying the patch.

This patch supercedes the patch described in MS03-032.

Read the Microsoft advisory for some important caveats regarding this patch and the updated HTML Help control.

Microsoft plans to issued Knowledge Base article 828750 regarding this issue, to be available shortly on the Microsoft Online Support web site:

http://support.microsoft.com/?scid=fh;en-us;kbhowto
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS03-040.asp (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 20 2003 Microsoft Internet Explorer Object Tag Flaw Lets Remote Users Execute Arbitrary Code


 Source Message Contents
Date:  Tue, 07 Oct 2003 22:11:37 +0800
Subject:  IE 6 XML Patch Bypass


IE 6 XML Patch Bypass

I have recently been playing around with the xml+windows media player exploit, and it 
seems that even with the new Microsoft patch applied, the vulnerability works.
I have tried it on 7 different people, on win2k and xp, and it worked everytime. 
The 8th person was using DAP (Download Acceselerator Plus), so it asked him if he 
wanted to download the executable. IE hacks like Dybuk Explorer are not affected by 
the vulnerability as well.

Here is a proof-of-concept:

http://mindlock.bestweb.net/wmp.htm

Note: this only works on people who have media player in C:\Program Files\Windows Media Player\ 
and version 9.

I am not 100% sure, but I believe that microsoft's new patch fixes the 401 bug. 
I tried using "HTTP/1.0 401 EVIL EVIL" so this may have been the reason for the patch bypass.

My solution would be to disable the media bar in IE 6. I explained how to do so in wmp.htm.


-----------------------------|
- Mindwarper                 |
- mindwarper@linuxmail.org   |
- http://mindlock.bestweb.net|
-----------------------------|

-- 
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC