IE createTextRange() Vulnerability
 Rhys (Faithless) <rhyskidd gmail com> |
Friday, March 24 2006 14:48.00 CST |
The .JS flavour of the moment:
<input type="checkbox" id='c'>
<script>
r=document.getElementById("c");
a=r.createTextRange();
</script>
Spent some time looking into this bug, which has apparently been going around the traps for a couple of days. It really hit the big time when Stelian Ene reported it to Bugtraq ( http://seclists.org/lists/bugtraq/2006/Mar/0410.html ) and then Andreas Sandblad of Secunia came public that they had independently found the same bug ( http://secunia.com/advisories/18680/ ).
It's a sign of the times that bugs are demonstratably being co-discovered by multiples parties. As Dave Aitel said as early as Jan 05:
That is, other researchers who've never looked at the vulnerability before can get stable code execution in under 24 hours. Why assume it's always the "whitehats" who find these and report them? Rumours are the .WMF bug from late 2005 was sold for $4000 to install spyware and popups by one of the unknown original discoverers.
Hrmm, interesting concept, when we also look at the rapidly dropping time between public vulnerability announcement, and 3rd party exploit code.
- Compare SQL Slammer (Bulletin on July 24 2002 and exploit mass released on Jan 25 2003 - ~185 days)
- To Sasser (Bulletin on March 13 2004 and exploit mass released on April 1 2004 - ~17 days)
But sure, this topic has been covered before ( for details see http://www.trendmicro.com/NR/rdonlyres/5D55A679-5B64-485C-8B35-13F6A8026CE3/17118/Vulnerability_Record.pdf ) so where does the latest IE exploit leave us? It's not just exploit code development thats improved rapidly with better documentation, examples and tools such the excellent Metasploit ( [url]www.metasploit.com[/url] ), but the actual vulnerabilities themselves are being found by a wider group of people, in more and more applications. For more info on this http://www.google.com.au/search?hl=en&safe=off&q=code+fuzzers&btnG=Search&meta=
Once your code is running reliably through a exploit, there's also much greater emphasise on IDS evasion and "sliding windows" of attack.
I started looking at software vulnerabilities and code execution when I first saw spyware install itself automatically. Pretty suprising stuff to see. Initially, I thought the Symantec et. al idea of "use antivirus, antispyware, antimalware, antiphishing" products would provide protection. But what the hell, lets get your hands down and dirty, and figure out how remote code execution really works. Read a few BlackHat .pdf presentations by Aleph1, FX, HDMoore, Halvar Flake, Mike Lynn, or anything by any member of the Litchfield family :) . It'll teach you how x86/PPC works on a low-level, and it takes the voodoo mystery out of much of the malware-crud that's out there.
By the way, it's not just <input type="checkbox"> that causes this memory corruption. :/
It's going to be a big April MS Patch Tuesday.
Maybe another blog article after this is patched might give me a chance to walk through some of the technical details of this vulnerability.
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |