Win-98 and MS14-021 (new IE vulnerability)

[Nomen]

So what's the deal with this IE vulnerability that has existed for almost 10 years but has somehow, mysteriously, never been discovered until just days after XP goes EOL?

Supposedly affects IE6 - but is that the same IE6 that win-9x/me and 2K uses, or the IE6 that only XP and higher can use?

Has anyone downloaded WindowsXP-KB2964358-x86-custom-ENU.exe and unpacked it?

I can't seem to find a direct download link for it.

Does it function on win-9x? Or does it die when its exposed to a win-9x system - just like so many other windows and IE exploits?

[rloew]

The download is on Microsoft's website.

Google: WindowsXP-KB2964358-x86-custom-ENU.exe to get the page.

There are 4 imports in the Installer that need to be stubbed before it can be run.

[Drugwash]

An easier way to unpack would be to download MSPatchGUI from my repository (check the sig below), run it, select the original exe at the top, destination folder below (no need to create a special folder, it'll automatically create one by the name of the exe file) and click 'Apply patch'. It won't actually apply it to the system, it'll merely unpack the files and process the deltas to create the true final files.

 

The main file is mshtml.dll in the SP3QFE folder and there are others in the update folder.

 

IE8: 6,022,144 bytes dated 2014.04.30 11:13

IE7: 3,628,032 bytesdated 2014.04.30 11:01

IE6: 3,094,528 bytes dated 2014.04.30 08:23

 

The mshtml.dll file in the IE8 and IE7 packages have a lot of unsatisfied dependencies in various system libraries.

The one in the IE6 package has missing dependencies in four libraries:

SHDOCVW.DLL, SHLWAPI.DLL, SHELL32.DLL, urlmon.dll.

Last two ones are delayed imports. It may - and I say may - work in 9x, possibly under KernelEx.

Edited May 4, 2014 by Drugwash

[Nomen]

Is there any way to know if win-9x/IE6 is vulnerable to this exploit? Is anyone hosting a proof-of-concept test page, maybe something that opens calc.exe like used to be done by milw0rm? Does pastebin have anything like that?

Edit:

Ok, I've got the file. Now is there any way, on a win-98 system, to decode it and get mshtml.dll? All I get are a bunch of ._p files and an _sfx_.dll that I have no idea what to do with. Is there a tool or utility program that (I suppose) can generate the target file?

Edited May 4, 2014 by Nomen

[loblo]

I don't think mixing XP IE6 files is too good an idea if it works at all.  I would simply unregister/delete vgx.dll if I was concerned by this as it's pretty much obsolete anyway and a more certain way to avoid any issue IMO as it looks like this is yet an other half baked fix by Microsoft where the affected file isn't fixed itself but only the known exploit vector. Since vgx.dll is an activeX file, chances are this vuln can be exploited through scripting also.

[dencorso]

Wise words.

[loblo]

 All I get are a bunch of ._p files and an _sfx_.dll that I have no idea what to do with. Is there a tool or utility program that (I suppose) can generate the target file?

 

Apparently Drugwash's tool, MSPatchGUI which he mentioned above, can do it.

 

And there is Hotfix Hacker too: http://raxsoft.tk/raxccm/software_app.php?progid=4

[Flasche]

Another thing to note is that this vulnerability was only targeting Explorer 9 and above. So I wouldn't be too worried about it.

[submix8c]

Newer Updates all look like that when "unzipped". The "old way" is no longer used. The Extract process is different even (in order to get the real files).

[Nomen]

If I see differences in mshtm#.ini between mshtml.dll in my windows/system folder and this new mshtml.dll (after running both of them through import patcher), for example:

---------------

current mshtml.dll (6.00.2800.1651):

[Patches needed]

appHelp.dll=Functions, Unbind

UxTheme.dll=Functions, Unbind

BROWSEUI.dll=DLLs

SHDOCVW.dll=DLLs

-----------------

new mshtml.dll (6.00.2900.6550 xpsp_sp3_qfe_escrow.140429-1337):

[Patches needed]

appHelp.dll=Functions, Unbind

mshtml.dll=DLLs, Functions

[sHLWAPI.dll]

SHRegGetValueW=

[msjava.dll]

execute_java_dynamic_method=

execute_java_dynamic_method64=

javaStringLength=

javaStringStart=

convert_Java_Object_to_IUnknown=

jcdwGetData=

FindClass=

convert_IUnknown_to_Java_Object=

makeJavaStringW=

execute_java_constructor=

GCFramePop=

is_instance_of=

GCFramePush=

[urlmon.dll]

CoInternetSetFeatureEnabled=

CoInternetIsFeatureZoneElevationEnabled=

CoInternetIsFeatureEnabled=

CoInternetIsFeatureEnabledForUrl=

-------------

What would that indicate?

Why so many references to java in the new file?

[Drugwash]

Older mshtml.dll is an ActiveX itself, if nobody noticed. Newer one from the hotfix is not. It has been completely reworked, apparently. This brought in new dependencies.

 

I tried it yesterday with KernelEx in Default mode and XP-SP2 mode and it didn't work; obviously the missing imports prevent the library from being loaded. For some reason I can't wrap my head around Kexstub.

[loblo]

Older mshtml.dll is an ActiveX itself, if nobody noticed. Newer one from the hotfix is not. It has been completely reworked, apparently. This brought in new dependencies.

 

I tried it yesterday with KernelEx in Default mode and XP-SP2 mode and it didn't work; obviously the missing imports prevent the library from being loaded. For some reason I can't wrap my head around Kexstub.

 

I have checked this file just the heck of it and I don't see why it's not an activex anymore since it exports all the standard COM functions.

 

And there is no way to run it even with KexStub because it requires some unnamed functions exported by ordinal from shdocvw.dll and KexStub doesn't support that.

[Drugwash]

Hmm, admittedly I didn't check the file deeply. I have a plug-in (FileInfo) in Total Commander which shows detailed information on executable files. The old mshtml.dll triggers an extra tab in the plug-in called Activex/OCX although there's an error regarding LoadTypeLib failure.

 

The new mshtml.dll doesn't trigger that tab so I figured they must have changed its type. But it may just be because it can't be loaded. Too many assumptions, I should take it easy.

[M()zart]

Hmm, admittedly I didn't check the file deeply. I have a plug-in (FileInfo) in Total Commander which shows detailed information on executable files. The old mshtml.dll triggers an extra tab in the plug-in called Activex/OCX although there's an error regarding LoadTypeLib failure.

The new mshtml.dll doesn't trigger that tab so I figured they must have changed its type. But it may just be because it can't be loaded. Too many assumptions, I should take it easy.

Probably that's because it should load the file successfully to display this tab, and the newer file cannot be loaded because of missing imports. Have you tested it with newer Windows?

[Drugwash]

Now that you mentioned it, I tried that in XP and the ActiveX/OCX tab does indeed appear but the LoadTypeLib error message is still there. Of course, it may be also a bug/limitation in that plug-in. Didn't pursue this matter further since I'm not realy interested.