CVE-2007-0099 - Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer

CVE-2007-0099

Summary

Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka "MSXML Memory Corruption Vulnerability."

References

Vulnerable Configurations

cpe:2.3:a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*

CVSS

Base:	9.3 (as of 16-10-2018 - 16:31)
Impact:
Exploitability:

CWE

CWE-362

CAPEC

Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:C/A:C

msbulletin via4

bulletin_id	MS08-069
bulletin_url
date	2008-11-11T00:00:00
impact	Remote Code Execution
knowledgebase_id	955218
knowledgebase_url
severity	Critical
title	Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution

oval via4

accepted

2008-12-29T04:00:25.122-05:00

class

vulnerability

contributors

name	Sudhir Gandhe
organization	Secure Elements, Inc.

definition_extensions

comment	Microsoft XML Core Services 3 is installed
oval	oval:org.mitre.oval:def:415

description

family

windows

oval:org.mitre.oval:def:5793

status

accepted

submitted

2008-11-19T14:19:00

title

MSXML Memory Corruption Vulnerability

version

refmap via4

bid	21872
bugtraq	20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws) 20070104 RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws) 20070104 Re: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)
cert	TA08-316A
fulldisc	20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws) 20070104 Re: Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)
hp	HPSBST02386 SSRT080164
misc	http://isc.sans.org/diary.php?storyid=2004
osvdb	32627
sectrack	1021164
secunia	23655
vupen	ADV-2008-3111

Last major update

16-10-2018 - 16:31

Published

08-01-2007 - 20:28

Last modified

16-10-2018 - 16:31