what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IE-DBCS.txt

IE-DBCS.txt
Posted Apr 14, 2006
Authored by Sowhat | Site secway.org

Microsoft Internet Explorer DBCS Remote Memory Corruption Vulnerability: This vulnerability affects systems that use Double-Byte Character Sets. Systems that are affected are Windows language versions that use a Double Byte Character Set language. Examples of languages that use DBCS are Chinese, Japanese, and Korean languages. Customers using other language versions of Windows might also be affected if "Language for non-Unicode programs" has been set to a Double Byte Character Set language.

tags | advisory, remote
systems | windows
SHA-256 | 9928b78c2e165f8d0be66728788d0d369520d36f2e3f50b6f0342f762ba5d58c

IE-DBCS.txt

Change Mirror Download
Microsoft Internet Explorer DBCS Remote Memory Corruption Vulnerability

By Sowhat of Nevis Labs
Date: 2006.04.11

https://www.nevisnetworks.com
https://secway.org/advisory/AD20060411.txt
https://www.microsoft.com/technet/security/bulletin/MS06-013.mspx


CVE: CVE-2006-1189

Vendor
Microsoft Inc.

Products affected:

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
and Microsoft Windows XP Service Pack 1
Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Internet Explorer 6 for Microsoft Windows Server 2003
Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, Microsoft
Windows 98 SE, and Microsoft Windows Millennium Edition



This vulnerability affects systems that use Double-Byte Character Sets.
Systems that are affected are Windows language versions that use a
Double Byte Character Set language. Examples of languages that use DBCS
are Chinese, Japanese, and Korean languages. Customers using
other language versions of Windows might also be affected if "Language
for non-Unicode programs" has been set to a Double Byte Character Set
language.


Overview:

There exists a buffer overflow in Microsoft Internet Explorer in the
parsing of DBCS URLS.

This vulnerability could allow an attacker to execute arbitrary code on the
victim's system when the victim visits a web page or views an HTML email
message.

This attack may be utilized wherever IE parses HTML, such as webpages, email,
newsgroups, and within applications utilizing web-browsing functionality.


Details:

URLMON.DLL does not properly validate IDN containing double-byte character
sets (DBCS), which may lead to remote code execution.

Exploiting this vulnerability seems to need a lot of more work but we
believe that
exploitation is possible.


POC:

No PoC will be released for this.


FIX:

Microsoft has released an update for Internet Explorer which is
set to address this issue. This can be downloaded from:

https://www.microsoft.com/technet/security/bulletin/MS06-013.mspx


Vendor Response:

2005.12.29 Vendor notified via secure@microsoft.com
2005.12.29 Vendor responded
2006.04.11 Vendor released MS06-0xx patch
2006.04.11 Advisory released


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (https://cve.mitre.org), which standardizes
names for security problems.


CVE-2006-1189


Greetings to Lennart@MS, Chi, OYXin, Narasimha Datta, all Nevis Labs guys,
all XFocus and 0x557 guys :)


References:

1. https://www.microsoft.com/technet/security/bulletin/MS06-013.mspx
2. https://www.nsfocus.com/english/homepage/research/0008.htm
3. https://xforce.iss.net/xforce/xfdb/5729
4. https://www.securityfocus.com/bid/2100/discuss
5. https://www.inter-locale.com/whitepaper/IUC27-a303.html
6. https://blogs.msdn.com/michkap/archive/2005/10/28/486034.aspx
7. [Mozilla Firefox IDN "Host:" Buffer Overflow]
https://www.security-protocols.com/advisory/sp-x17-advisory.txt
8. [Mozilla Firefox 1.5 Beta 1 IDN Buffer Overflow]
https://www.security-protocols.com/advisory/sp-x18-advisory.txt
9. https://72.14.203.104/search?q=cache:Dxn-V4fil1IJ:developer.novell.com
/research/devnotes/1995/may/02/05.htm







--
Sowhat
https://secway.org
"Life is like a bug, Do you know how to exploit it ?"
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close