NOT Vulnerable on IE 5.5 SP1 (no hotfixes) on WinNT 4 SP5. Nope, not even the tiniest glitch. If a valid FTP address is put in place of "whatever" it simply displays the FTP root in the browser window. Running ftp://whatever/.#./ from Start/Run launches IE, and displays "cannot Find Server" with ftp://whatever// in the address bar. Hope this helps! :) Tim. -----Original Message----- From: Elie Aka Lupin Bursztein [mailto:secuat_private] Sent: Saturday, 5 May 2001 8:35 To: VULN-DEVat_private Subject: [bug]: Cause IE 5.X to crash hello, I have discover the last week end the following bug : Synopsis -------------- By putting this malformed link on a web page a malicious user could crash all the IE windows. It also work by passing the link directly into the address field of IE. Affected version : ----------------------- IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1 IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1 IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1 not affected IE 5.0 For Mac not tested on : Win 95 , Win ME The Bug : ------------- the following url Crash IE : "ftp://whatever//.#./" Vendor status --------------------- Microsoft has been notice during the week and they have told me that the bug will be fix in the next Service pack. Details ---------- First it doesn't work with http:// . We could also notify that when we put this link in a web page and we select it and trie to copy the link we get "ftp://whatever//#./" instead of "ftp://whatever//.#./" . Of course "ftp://whatever//#./" crash IE as well... It is the same for the status bar : we could read "ftp://whatever//#./" instead of "ftp://whatever//.#./" . Finally if you tape very slowly in the address field this url, It crash also IE, That's why i suppose that IE 4 is not vulnerable to this. I have make more investigation and find out this : ) it's a call of msieftp.dll who cause the crash. i have determine this by using a debugger according to the following code : 7120B8D3 push dword ptr [ebp+14h] 7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash 7120B8DC cmp byte ptr [eax],0 7120B8DF jne 7120B93A 7120B8E1 lea eax,[ebp+8] 7120B8E4 push eax <--snipe --> 7120B93A mov eax,edi 7120B93C pop edi 7120B93D pop esi 7120B93E leave 7120B93F ret 14h 7120B942 push ebp 7120B943 mov ebp,esp It doesn't seems to been exploitable to me, but may be you will find something. Elie Aka Lupin Bursztein ------------------------------------------------------------------------ ICQ : 32228319 Web : http://www.bursztein.net "He feel safe, At this very moment he was lost..." ------------------------------------------------------------------------ ================================================================== De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================================== The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. ==================================================================
This archive was generated by hypermail 2b30 : Sun May 06 2001 - 18:06:05 PDT