worked for me too, on my WinMe, IE6 ================================================= Andreas Constantinides (MegaHz) Owner - Admin of www.cyhackportal.com megahzat_private ICQ#: 30136845 ================================================= ----- Original Message ----- From: "Juhani Kataila" <kattilaat_private> To: <VULN-DEVat_private> Sent: Saturday, May 05, 2001 11:57 AM Subject: Re: [bug]: Cause IE 5.X to crash > Worked on my WindowsME, both IE5.0 and IE5.5 > > - Juhani Kataila > > ----- Original Message ----- > From: "Elie Aka Lupin Bursztein" <secuat_private> > To: <VULN-DEVat_private> > Sent: Saturday, May 05, 2001 1:34 AM > Subject: [bug]: Cause IE 5.X to crash > > > > hello, > > I have discover the last week end the following bug : > > > > Synopsis > > -------------- > > > > By putting this malformed link on a web page a malicious > > user could crash all the IE windows. It also work by passing the link > > directly into the address field of IE. > > > > Affected version : > > ----------------------- > > > > IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1 > > IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1 > > IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1 > > > > not affected > > > > IE 5.0 For Mac > > > > not tested on : > > > > Win 95 , Win ME > > > > The Bug : > > ------------- > > > > the following url Crash IE : "ftp://whatever//.#./" > > > > > > Vendor status > > --------------------- > > > > Microsoft has been notice during the week and they have told me that the > > bug will be fix in the next Service pack. > > > > Details > > ---------- > > > > First it doesn't work with http:// . We could also notify that when we put > > this link in a web page and we select it and trie to copy the link we get > > "ftp://whatever//#./" instead of "ftp://whatever//.#./" . Of course > > "ftp://whatever//#./" crash IE as well... It is the same for the status > bar > > : we could read "ftp://whatever//#./" instead of "ftp://whatever//.#./" . > > Finally if you tape very slowly in the address field this url, It crash > > also IE, That's why i suppose that IE 4 is not vulnerable to this. > > > > I have make more investigation and find out this : > > > > ) it's a call of msieftp.dll who cause the crash. i have determine this > > by using a debugger > > according to the following code : > > > > 7120B8D3 push dword ptr [ebp+14h] > > 7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash > > 7120B8DC cmp byte ptr [eax],0 > > 7120B8DF jne 7120B93A > > 7120B8E1 lea eax,[ebp+8] > > 7120B8E4 push eax > > <--snipe --> > > 7120B93A mov eax,edi > > 7120B93C pop edi > > 7120B93D pop esi > > 7120B93E leave > > 7120B93F ret 14h > > 7120B942 push ebp > > 7120B943 mov ebp,esp > > > > It doesn't seems to been exploitable to me, but may be you will find > something. > > > > > > Elie Aka Lupin Bursztein > > ------------------------------------------------------------------------ > > ICQ : 32228319 > > Web : http://www.bursztein.net > > "He feel safe, At this very moment he was lost..." > > ------------------------------------------------------------------------ > > >
This archive was generated by hypermail 2b30 : Sat May 05 2001 - 15:00:48 PDT