[42279] in bugtraq
Microsoft(R) Internet Explorer 5 & 6 Remote Denial of Service
daemon@ATHENA.MIT.EDU (inge.henriksen@booleansoft.com)
Tue Jan 17 19:48:58 2006
Date: 14 Jan 2006 23:33:45 -0000
Message-ID: <20060114233345.6883.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: inge.henriksen@booleansoft.com
To: bugtraq@securityfocus.com
** Inge Henriksen Security Advisory - Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/ **
Advisory Name:
Microsoft(R) Internet Explorer 5 & 6 Remote Denial of Service (DoS) using IMG & XML elements
Release Date:
14. January 2006
Vulnerable Product:
Microsoft(R) Internet Explorer 5
Microsoft(R) Internet Explorer 6
Tested and Confirmed Vulerable:
Microsoft® Windows® XP Professional with Service Pack 2 and IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
Microsoft® Windows® Server 2003 with IE 6.0.2790.0
Microsoft® Windows® 2000 Advanced Server 5.00.2195 with Service Pack 4 and IE 5.00.3700.1000
Other combinations are likely to be vulnerable, so far all systems that I have tested had the bug.
Severity:
Medium
Discovered by:
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/
Vendor Status:
Notified 30. December 2005, no fix at present.
Arbitrary Code Injection:
This is a null pointer dereference, so no arbitrary code injection is likely. Thanks to H D Moore from Metasploit for help on this issue.
Overview:
I have found that Microsoft(R) Internet Explorer 5 and Microsoft(R) Internet Explorer 6 are vulnerable
to a Denial of Service. So far all combinations of OS's and IE versions I have tested are vulnerable.
The exploit is triggered by a bad IMG element combined with a bad XML block, this html code can by hidden
inside a webpage etc. to cause a Denial of Service for all that tries to view that webpage.
Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/
