[bug]: Cause IE 5.X to crash

• Previous message: Snehal Dasari: "Re: How I turned my cable modem into a sniffer"
• Next in thread: Ryan Sweat: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Ryan Sweat: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Juhani Kataila: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Shawn McKeon: "Re: [bug]: Cause IE 5.X to crash"
• Reply: No Name: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Stan: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Uidam, T (Tim): "Re: [bug]: Cause IE 5.X to crash"
• Reply: Scott Fagg: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Nick Jacobsen: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Uidam, T (Tim): "Re: [bug]: Cause IE 5.X to crash"
• Reply: Uidam, T (Tim): "FW: [bug]: Cause IE 5.X to crash"
• Reply: Uidam, T (Tim): "Re: [bug]: Cause IE 5.X to crash"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hello,
I have discover the last week end the following bug :

Synopsis
--------------

By putting this malformed link on a web page a malicious
user could crash all the IE windows. It also work by passing the link
directly into the address field of IE.

Affected version :
-----------------------

IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1
IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1
IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1

not affected

IE 5.0 For Mac

not tested on :

Win 95 , Win ME

The Bug :
-------------

the following url Crash IE : "ftp://whatever//.#./"


Vendor status
---------------------

Microsoft has been notice during the week and they have told me that the
bug will be fix in the next Service pack.

Details
----------

First it doesn't work with http:// . We could also notify that when we put
this link in a web page and we select it and trie to copy the link we get
"ftp://whatever//#./" instead of "ftp://whatever//.#./" . Of course
"ftp://whatever//#./" crash IE as well... It is the same for the status bar
: we could read "ftp://whatever//#./" instead of "ftp://whatever//.#./" .
Finally if you tape very slowly in the address field this url, It crash
also IE, That's why i suppose that IE 4 is not vulnerable to this.

I have make more investigation and find out this :

) it's a call of msieftp.dll who cause the crash. i have determine this
by using a debugger
according to the following code :

7120B8D3 push dword ptr [ebp+14h]
7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash
7120B8DC cmp byte ptr [eax],0
7120B8DF jne 7120B93A
7120B8E1 lea eax,[ebp+8]
7120B8E4 push eax
<--snipe -->
7120B93A mov eax,edi
7120B93C pop edi
7120B93D pop esi
7120B93E leave
7120B93F ret 14h
7120B942 push ebp
7120B943 mov ebp,esp

It doesn't seems to been exploitable to me, but may be you will find something.


Elie Aka Lupin Bursztein
------------------------------------------------------------------------
ICQ : 32228319
Web : http://www.bursztein.net
"He feel safe, At this very moment he was lost..."
------------------------------------------------------------------------

• Next message: Ryan Sweat: "Re: [bug]: Cause IE 5.X to crash"
• Previous message: Snehal Dasari: "Re: How I turned my cable modem into a sniffer"
• Next in thread: Ryan Sweat: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Ryan Sweat: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Juhani Kataila: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Shawn McKeon: "Re: [bug]: Cause IE 5.X to crash"
• Reply: No Name: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Stan: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Uidam, T (Tim): "Re: [bug]: Cause IE 5.X to crash"
• Reply: Scott Fagg: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Nick Jacobsen: "Re: [bug]: Cause IE 5.X to crash"
• Reply: Uidam, T (Tim): "Re: [bug]: Cause IE 5.X to crash"
• Reply: Uidam, T (Tim): "FW: [bug]: Cause IE 5.X to crash"
• Reply: Uidam, T (Tim): "Re: [bug]: Cause IE 5.X to crash"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 04 2001 - 22:48:03 PDT