Monday, November 21, 2005

0-day Exploit: Microsoft Internet Explorer "window()" Code Execution Vulnerability

A proof-of-concept exploit is already public for this vulnerability.

Via FrSIRT.

Advisory ID : FrSIRT/ADV-2005-2509
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-11-21

Technical Description

A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to the JavaScript "window()" object and the "body onload" tag, which could be exploited remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page.

This vulnerability has been confirmed on Windows XP SP2 with Internet Explorer 6 (fully patched).

Exploits

http://www.frsirt.com/exploits/20051121.IEWindow0day.php

Affected Products

Microsoft Internet Explorer 6 SP1 on Microsoft Windows XP SP2
Microsoft Internet Explorer 6 for Microsoft Windows XP SP1
Microsoft Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4
Microsoft Internet Explorer 6 SP1 on Microsoft Windows 2000 SP4

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

Disable Active Scripting in Internet Explorer :

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Security tab, click Custom Level.
4. In the Settings box, click Disable under Active scripting.
5. Click OK, and then click OK.

References

http://www.frsirt.com/english/advisories/2005/2509
http://www.frsirt.com/english/reference/1111

Credits

Vulnerability originally reported by Benjamin Tobias Franz and exploited by S. Pearson


0 Comments:

Post a Comment

<< Home