Wednesday, July 22, 2009

Another IE 0-day


Another 0-day was released in-the-wild targeting Microsoft Internet Explorer. The bug is inside msvidctl.dll when working with media file (*.gif have been used in the wild exploitation). Below is the in-the-wild exploit analyzed by us (we modified the shellcode to %uxcccc).

Figure 1.0 showed the exception handler is executed and will pointing to our jump address (0c0c0c0c).


Figure 2.0 show the shellcode (xcc) been executed.




It's not really a common stack overflow bug. Please read excellent  vulnerability analysis done by websense <a href="http://securitylabs.websense.com/content/Blogs/3434.aspx">here</a>.

MyCERT released the <a href="http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/677/index.html">advisory</a> and workaround (yes, with pictures) on how to do the 'kill-bit' thing for this particular CLSID.


No comments: