('binary' encoding is not supported, stored as-is) ------------------------------------------------------------ ------------------------------------------------------------ --------------- Advisory I discovered a flaw in IE a while ago that can kill IE and can halt the entier system under windows 9x. It didn't seem like a big deal to me at the time, but seeing the fuzz about Matthew Murphy's discovery of a similar IE DoS (see bugtraq post at the bottom of this message) I hereby republish it and inform the vendor, Microsoft, about the problem. Kind regards, Berend-Jan Wever ------------------------------------------------------------ ------------------------------------------------------------ --------------- Affected software versions Every versionof IE (up to 6.0 fully patched) seems to be affected. The stability of Windows 9x can be affected by crashing IE. ------------------------------------------------------------ ------------------------------------------------------------ --------------- Explanation of the flaw Exploitation causes a stack overflow. This will probably be exploitable but I am not familiar with stack overflow exploitation so I will leave that to the real h4x0rs. Basic example of the flaw: <IMG src="::" onError="this.src='::';"> What this does: 1) It creates an image with an invalid src 2) IE tries to show the picture but can't: it fires the onError-event 3) The onError-event resets the src attribute to the same invalid src. 4) goto 2 As you can see, it's based on an infinite loop: The onError event causes itself. Every time the onError event fires another return addresses is pushed on the stack until it's filled up and overflows. Various variants of this error cause various overflows in various DLL's. IE 6.0 seems to be better protected against fatal crashes than IE 5.0 and windows 2000 seems te be unaffected while some variants will cause overflow in kernel32.dll and halt win9x. IE 6.0 will report the overflow with a popup message and continue to function most of the time but some variants will terminate all open IE windows without notification. ------------------------------------------------------------ ------------------------------------------------------------ --------------- More details More details about various variants of this flaw can be found on my website. As you can imagine there are a lot of possibilities to create infinite loops. http://spoor12.edup.tudelft.nl ------------------------------------------------------------ ------------------------------------------------------------ --------------- Vendor status Microsoft is hereby informed of the problem. As far as I know, Infinite loops have been known to be a problem for some time now, that's why IE 6.0 is more stable (but not stable enough.) ------------------------------------------------------------ ------------------------------------------------------------ --------------- Origional message to bugtraq by Matthew Murphy The Flaw OBJECT elements are used for embedded OLE in HTML documents. A flaw in the way Microsoft Internet Explorer processes this directive allows a page that causes a loop in object dependancy, or loads itself in a certain manner in an OBJECT, to completely crash Internet Explorer. The Exploit To date, I have discovered 4 points of exploitation to crash the browser. My favorite example is this one: ---- [ CRASH.HTM ] ---- <OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT> ---- [ CRASH.HTM ] ---- IE dies inside shdocvw.dll with a call stack overflow. Fixes Set "Run ActiveX Controls and Plugins" to disabled in ALL zones. An XML Island DSO may even be able to get past this, however. I would expect this bug to fixed in a future IE service pack, though there's been no confirmation/details of that from Microsoft.
This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 09:02:09 PDT