Microsoft Internet Explorer 6.x IMG/XML Elements Denial of Service Explained

What this paper is

This paper details a Denial of Service (DoS) vulnerability in Microsoft Internet Explorer 6.x. The vulnerability is triggered by a specific combination of HTML elements, namely <img> and XML namespaces, which causes Internet Explorer to crash. This is a classic example of a client-side DoS where a malicious webpage can disrupt the user's browser.

Simple technical breakdown

The core of the vulnerability lies in how Internet Explorer 6.x parses and renders HTML that mixes standard <img> tags with custom XML elements, specifically those using the v: namespace (often associated with VML - Vector Markup Language). When an <img> tag is malformed or placed in a specific context alongside these XML elements, it triggers an unhandled exception or a loop within the browser's rendering engine, leading to a crash. The provided exploit uses a malformed <img> tag within a table structure, combined with an XML namespace declaration, to achieve this.

Complete code and payload walkthrough

The provided "code" is actually a snippet of HTML designed to exploit the vulnerability. There is no traditional executable code or shellcode in this paper.

<!--
Discovered by
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/
-->

<table>
  <tr>
    <td><IMG align=left>X X X<?xml:namespace prefix=v>
      <v:X style="HEIGHT:1"></td>
  </tr>
</table>

# milw0rm.com [2006-01-18]

Let's break down the meaningful parts:

• <!-- ... -->: This is an HTML comment block. It contains the discoverer's name and contact information, along with a link to their blog. This is metadata and not part of the exploit mechanism itself.
• <table> ... </table>: This defines an HTML table. Tables are used for structuring content, and in this case, it's used to contain the elements that trigger the vulnerability.
• <tr> ... </tr>: This defines a table row within the <table>.
• <td> ... </td>: This defines a table data cell within the <tr>. This cell contains the core of the exploit.
• <IMG align=left>: This is an HTML <img> tag. The align=left attribute is used to align the image to the left. In this context, the <img> tag itself is malformed or placed in a way that interacts poorly with subsequent elements. The X X X following it are just text content within the cell.
• <?xml:namespace prefix=v>: This is an XML declaration that assigns the prefix v to a namespace. This is crucial because it tells the browser to interpret subsequent tags with the v: prefix as belonging to a specific XML namespace. In older IE versions, this was often used for VML.
• <v:X style="HEIGHT:1">: This is an XML element using the v: namespace. The v:X tag itself is likely not a standard or well-handled element in this context, especially when combined with the preceding malformed <img> and the namespace declaration. The style="HEIGHT:1" attribute is a common way to define styles for XML elements.

Mapping list:

• <table>, <tr>, <td>: Structural HTML elements used to contain the exploit payload.
• <IMG align=left>: The malformed or contextually problematic image tag.
• <?xml:namespace prefix=v>: Declares an XML namespace, preparing the parser for custom XML tags.
• <v:X style="HEIGHT:1">: A custom XML element within the declared namespace, which, in combination with the above, triggers the vulnerability.

Execution Flow:

1. The browser encounters the <table>, <tr>, and <td> tags, setting up a rendering context.
2. It processes the <IMG align=left> tag. The exact nature of the malformation or interaction is not explicitly detailed in the paper, but it's the first trigger.
3. The browser then encounters <?xml:namespace prefix=v>. This signals that XML elements with the v: prefix will follow.
4. Finally, it encounters <v:X style="HEIGHT:1">. The combination of the preceding malformed <img>, the XML namespace declaration, and this custom XML tag causes Internet Explorer's rendering engine to enter an erroneous state, leading to a crash (DoS).

There is no shellcode or payload bytes to analyze as this is a client-side HTML-based DoS.

Practical details for offensive operations teams

• Required Access Level: No elevated privileges are required. This exploit targets the client-side browser.
• Lab Preconditions:
  • A target machine running Windows with Internet Explorer 6.x installed.
  • A web server or a method to serve the malicious HTML content to the target. This could be a compromised website, a phishing email with a link, or even a local file opened by the user.
• Tooling Assumptions: A basic web server (e.g., Python's http.server, Apache, Nginx) to host the HTML file. A text editor to create the HTML file.
• Execution Pitfalls:
  • Browser Version Specificity: This exploit is highly specific to Internet Explorer 6.x. It will not work on later versions of IE or other browsers.
  • Security Software: Modern antivirus or endpoint detection and response (EDR) solutions might flag the HTML file or the act of crashing the browser, though the exploit itself is very simple and might bypass basic signature-based detection if obfuscated.
  • User Interaction: The user must navigate to the malicious HTML page. This typically requires social engineering or a pre-existing vulnerability to deliver the link.
  • Unpredictability: DoS exploits can be unpredictable. The exact conditions for a crash might vary slightly, and some systems might be more resilient than others.
  • Limited Impact: This is a DoS. It crashes the browser but does not provide code execution or data exfiltration. The user can typically restart their browser to regain functionality.
• Tradecraft Considerations:
  • Delivery: Phishing emails with links to the malicious page are a common delivery method.
  • Stealth: Since it's a client-side DoS, the primary concern is getting the target to visit the page. The HTML itself is benign-looking.
  • Post-Exploitation: If the goal is to disrupt a user, this could be used as a distraction or to prevent them from accessing a specific resource. However, its utility is limited by the ease with which the user can recover.

Where this was used and when

This vulnerability was published in January 2006. Exploits targeting Internet Explorer 6.x were common during the mid-2000s. While specific documented instances of this exact HTML snippet being used in real-world attacks are not readily available in public records, vulnerabilities of this nature were frequently exploited by:

• Malware authors: To disrupt user activity or create opportunities for other malicious actions.
• Script kiddies: For simple disruption or "fun."
• Early penetration testers: To demonstrate client-side risks.

The context is primarily the era when Internet Explorer 6 was dominant on Windows operating systems.

Defensive lessons for modern teams

• Patch Management: The most critical lesson is the importance of keeping browsers and operating systems patched. This vulnerability was fixed in later versions of Internet Explorer.
• Browser Hardening: While IE6 is obsolete, modern browsers have significantly improved their parsing engines and sandboxing capabilities, making such simple HTML-based DoS attacks much harder.
• Web Application Firewalls (WAFs): WAFs can help detect and block malicious HTML content, although this specific exploit is very simple and might not be easily caught by generic rules.
• User Awareness Training: Educating users about the dangers of clicking on suspicious links remains paramount, as social engineering is often the delivery vector for client-side attacks.
• Browser Sandboxing: Modern browsers isolate web content from the operating system, preventing a browser crash from affecting the entire system.

ASCII visual (if applicable)

This exploit is purely client-side HTML rendering. An ASCII visual is not particularly applicable for illustrating a complex architecture or flow. It's a direct interaction between the browser's rendering engine and the malformed HTML.

Source references

• Paper ID: 1423
• Paper Title: Microsoft Internet Explorer 6.x - IMG / XML elements Denial of Service
• Author: Inge Henriksen
• Published: 2006-01-18
• Keywords: Windows,dos
• Paper URL: https://www.exploit-db.com/papers/1423
• Raw URL: https://www.exploit-db.com/raw/1423

Original Exploit-DB Content (Verbatim)

<!--
Discovered by
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/
-->

<table>
  <tr>
    <td><IMG align=left>X X X<?xml:namespace prefix=v>
      <v:X style="HEIGHT:1"></td>
  </tr>
</table>

# milw0rm.com [2006-01-18]