Re: Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag)

From: Roland Postle (mailat_private)
Date: Wed Apr 16 2003 - 15:12:46 PDT

Next message: Martin Schulze: "[SECURITY] [DSA 289-1] New rinetd packages fix denial of service"

Previous message: Martin Schulze: "Vulnerability in rinetd"
In reply to: Ryan Emerle: "Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag)"
Next in thread: Steve Ryan: "RE: Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>&lt;object id="test"
>       data="#"
>       width="100%" height="100%" 
>       type="text/x-scriptlet" 
>       VIEWASTEXT>&lt;/object&gt;

What I think is happening is that IE takes the URL '#' on it's own to
mean current document. (You can ahieve the same affect by specifying
data="document.html" where document.html is the name of the html file
running the code.)

When the data in the file '#' is embedded into the document and
executed it too contains the same object tag which embeds the document
again and again. Eventually it runs out of stack space. I doubt this is
exploitable on it's own except as a DoS.

- Blazde

Next message: Martin Schulze: "[SECURITY] [DSA 289-1] New rinetd packages fix denial of service"
Previous message: Martin Schulze: "Vulnerability in rinetd"
In reply to: Ryan Emerle: "Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag)"
Next in thread: Steve Ryan: "RE: Exploit/DoS in MS Internet Explorer 6.0 (OBJECT Tag)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 08:43:11 PDT