Vulnerability affected my old Win95 comp IE v5. -/|ristides -- On Sat, 5 May 2001 11:57:29 Juhani Kataila wrote: >Worked on my WindowsME, both IE5.0 and IE5.5 > >- Juhani Kataila > >----- Original Message ----- >From: "Elie Aka Lupin Bursztein" <secuat_private> >To: <VULN-DEVat_private> >Sent: Saturday, May 05, 2001 1:34 AM >Subject: [bug]: Cause IE 5.X to crash > > >> hello, >> I have discover the last week end the following bug : >> >> Synopsis >> -------------- >> >> By putting this malformed link on a web page a malicious >> user could crash all the IE windows. It also work by passing the link >> directly into the address field of IE. >> >> Affected version : >> ----------------------- >> >> IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1 >> IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1 >> IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1 >> >> not affected >> >> IE 5.0 For Mac >> >> not tested on : >> >> Win 95 , Win ME >> >> The Bug : >> ------------- >> >> the following url Crash IE : "ftp://whatever//.#./" >> >> >> Vendor status >> --------------------- >> >> Microsoft has been notice during the week and they have told me that the >> bug will be fix in the next Service pack. >> >> Details >> ---------- >> >> First it doesn't work with http:// . We could also notify that when we put >> this link in a web page and we select it and trie to copy the link we get >> "ftp://whatever//#./" instead of "ftp://whatever//.#./" . Of course >> "ftp://whatever//#./" crash IE as well... It is the same for the status >bar >> : we could read "ftp://whatever//#./" instead of "ftp://whatever//.#./" . >> Finally if you tape very slowly in the address field this url, It crash >> also IE, That's why i suppose that IE 4 is not vulnerable to this. >> >> I have make more investigation and find out this : >> >> ) it's a call of msieftp.dll who cause the crash. i have determine this >> by using a debugger >> according to the following code : >> >> 7120B8D3 push dword ptr [ebp+14h] >> 7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash >> 7120B8DC cmp byte ptr [eax],0 >> 7120B8DF jne 7120B93A >> 7120B8E1 lea eax,[ebp+8] >> 7120B8E4 push eax >> <--snipe --> >> 7120B93A mov eax,edi >> 7120B93C pop edi >> 7120B93D pop esi >> 7120B93E leave >> 7120B93F ret 14h >> 7120B942 push ebp >> 7120B943 mov ebp,esp >> >> It doesn't seems to been exploitable to me, but may be you will find >something. >> >> >> Elie Aka Lupin Bursztein >> ------------------------------------------------------------------------ >> ICQ : 32228319 >> Web : http://www.bursztein.net >> "He feel safe, At this very moment he was lost..." >> ------------------------------------------------------------------------ >> > Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/
This archive was generated by hypermail 2b30 : Sat May 05 2001 - 23:11:11 PDT