Hello, On my WinME computer only the IE window that is open will crash when going to ftp://whatever//.#./ But when I type in ftp://whatever//.#./ and I backspace the first '.' then all IE windows will close. This problem is also available when I type ftp://whatever//#./ and I add a '.' before the '#'. IE will close before having pressed the enter button. I noticed it also worked when I typed this at the start...run... you don't even have to click 'ok'. With regards, Stan a.k.a. ThePike stanat_private http://www.whizkunde.org At 00:34 5-5-2001 +0200, you wrote: >hello, >I have discover the last week end the following bug : > >Synopsis >-------------- > >By putting this malformed link on a web page a malicious >user could crash all the IE windows. It also work by passing the link >directly into the address field of IE. > >Affected version : >----------------------- > >IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1 >IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1 >IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1 > >not affected > >IE 5.0 For Mac > >not tested on : > >Win 95 , Win ME > >The Bug : >------------- > >the following url Crash IE : "ftp://whatever//.#./" > > >Vendor status >--------------------- > >Microsoft has been notice during the week and they have told me that the >bug will be fix in the next Service pack. > >Details >---------- > >First it doesn't work with http:// . We could also notify that when we put >this link in a web page and we select it and trie to copy the link we get >"ftp://whatever//#./" instead of "ftp://whatever//.#./" . Of course >"ftp://whatever//#./" crash IE as well... It is the same for the status bar >: we could read "ftp://whatever//#./" instead of "ftp://whatever//.#./" . >Finally if you tape very slowly in the address field this url, It crash >also IE, That's why i suppose that IE 4 is not vulnerable to this. > >I have make more investigation and find out this : > >) it's a call of msieftp.dll who cause the crash. i have determine this >by using a debugger >according to the following code : > >7120B8D3 push dword ptr [ebp+14h] >7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash >7120B8DC cmp byte ptr [eax],0 >7120B8DF jne 7120B93A >7120B8E1 lea eax,[ebp+8] >7120B8E4 push eax ><--snipe --> >7120B93A mov eax,edi >7120B93C pop edi >7120B93D pop esi >7120B93E leave >7120B93F ret 14h >7120B942 push ebp >7120B943 mov ebp,esp > >It doesn't seems to been exploitable to me, but may be you will find >something. > > >Elie Aka Lupin Bursztein >------------------------------------------------------------------------ >ICQ : 32228319 >Web : http://www.bursztein.net >"He feel safe, At this very moment he was lost..." >------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun May 06 2001 - 08:03:03 PDT