Re: [bug]: Cause IE 5.X to crash

From: Ryan Sweat (h3xm3at_private)
Date: Fri May 04 2001 - 23:31:38 PDT

Next message: me me: "How i DIDNT turn my CM into a sniffer"

Previous message: Elie Aka Lupin Bursztein: "[bug]: Cause IE 5.X to crash"
In reply to: Elie Aka Lupin Bursztein: "[bug]: Cause IE 5.X to crash"
Next in thread: Juhani Kataila: "Re: [bug]: Cause IE 5.X to crash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

IE 6.0 (beta) is vuln.

----- Original Message -----
From: "Elie Aka Lupin Bursztein" <secuat_private>
To: <VULN-DEVat_private>
Sent: Friday, May 04, 2001 5:34 PM
Subject: [bug]: Cause IE 5.X to crash


: hello,
: I have discover the last week end the following bug :
:
: Synopsis
: --------------
:
: By putting this malformed link on a web page a malicious
: user could crash all the IE windows. It also work by passing the link
: directly into the address field of IE.
:
: Affected version :
: -----------------------
:
: IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1
: IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1
: IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1
:
: not affected
:
: IE 5.0 For Mac
:
: not tested on :
:
: Win 95 , Win ME
:
: The Bug :
: -------------
:
: the following url Crash IE : "ftp://whatever//.#./"
:
:
: Vendor status
: ---------------------
:
: Microsoft has been notice during the week and they have told me that the
: bug will be fix in the next Service pack.
:
: Details
: ----------
:
: First it doesn't work with http:// . We could also notify that when we put
: this link in a web page and we select it and trie to copy the link we get
: "ftp://whatever//#./" instead of "ftp://whatever//.#./" . Of course
: "ftp://whatever//#./" crash IE as well... It is the same for the status
bar
: : we could read "ftp://whatever//#./" instead of "ftp://whatever//.#./" .
: Finally if you tape very slowly in the address field this url, It crash
: also IE, That's why i suppose that IE 4 is not vulnerable to this.
:
: I have make more investigation and find out this :
:
: ) it's a call of msieftp.dll who cause the crash. i have determine this
: by using a debugger
: according to the following code :
:
: 7120B8D3 push dword ptr [ebp+14h]
: 7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash
: 7120B8DC cmp byte ptr [eax],0
: 7120B8DF jne 7120B93A
: 7120B8E1 lea eax,[ebp+8]
: 7120B8E4 push eax
: <--snipe -->
: 7120B93A mov eax,edi
: 7120B93C pop edi
: 7120B93D pop esi
: 7120B93E leave
: 7120B93F ret 14h
: 7120B942 push ebp
: 7120B943 mov ebp,esp
:
: It doesn't seems to been exploitable to me, but may be you will find
something.
:
:
: Elie Aka Lupin Bursztein
: ------------------------------------------------------------------------
: ICQ : 32228319
: Web : http://www.bursztein.net
: "He feel safe, At this very moment he was lost..."
: ------------------------------------------------------------------------

Next message: me me: "How i DIDNT turn my CM into a sniffer"
Previous message: Elie Aka Lupin Bursztein: "[bug]: Cause IE 5.X to crash"
In reply to: Elie Aka Lupin Bursztein: "[bug]: Cause IE 5.X to crash"
Next in thread: Juhani Kataila: "Re: [bug]: Cause IE 5.X to crash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 05 2001 - 11:27:54 PDT