IE5.5 SP1 on nt4 SP6 .. no crash. Entered ftp://... in location bar and created page with ftp:/... link. In both cases IE did not crash just appeared to take a while to look up hostname. Change url to ftp://1.2.3.4/.#./ where 1.2.3.4 is an anon ftp server on our LAN, and IE dutifully connects and retrieves the contents of the root dir of the ftp server. >>> Arthur Barton <arthurbat_private> 7/5/01 11:49:54 am >>> Win98 4.10.1998 ie 6.00.2462.0000 start -> run -> ftp://whatever//.#. -> enter or start -> run -> ftp.whatever//.#. -> enter causes iexplore.exe to crash location bar -> ftp://whatever//.#. -> enter or location bar -> ftp.whatever//.#. -> enter in either explorer.exe or iexpore.exe causes either to crash ftp://ftp.valid.ftp.server//.#. -> enter also causes a crash <meta http-equiv="refresh" content="0; URL=ftp://whatever//.#."> all running instances of iexplore.exe crash #!/usr/bin/perl print "Location: ftp://whatever//.#.\n\n"; results in "Cannot find server" hmm. hth.. At 08:07 7/05/01 +0800, Uidam, T (Tim) wrote: >NOT Vulnerable on IE 5.5 SP1 (no hotfixes) on WinNT 4 SP5. > >Nope, not even the tiniest glitch. If a valid FTP address is put in place of >"whatever" it simply displays the FTP root in the browser window. > >Running ftp://whatever/.#./ from Start/Run launches IE, and displays "cannot >Find Server" with ftp://whatever// in the address bar. > > >Hope this helps! :) > >Tim. > >-----Original Message----- >From: Elie Aka Lupin Bursztein [mailto:secuat_private] >Sent: Saturday, 5 May 2001 8:35 >To: VULN-DEVat_private >Subject: [bug]: Cause IE 5.X to crash > > >hello, >I have discover the last week end the following bug : > >Synopsis >-------------- > >By putting this malformed link on a web page a malicious >user could crash all the IE windows. It also work by passing the link >directly into the address field of IE. > >Affected version : >----------------------- > >IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1 >IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1 >IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1 > >not affected > >IE 5.0 For Mac > >not tested on : > >Win 95 , Win ME > >The Bug : >------------- > >the following url Crash IE : "ftp://whatever//.#./" > > >Vendor status >--------------------- > >Microsoft has been notice during the week and they have told me that the >bug will be fix in the next Service pack. > >Details >---------- > >First it doesn't work with http:// . We could also notify that when we put >this link in a web page and we select it and trie to copy the link we get >"ftp://whatever//#./" instead of "ftp://whatever//.#./" . Of course >"ftp://whatever//#./" crash IE as well... It is the same for the status bar >: we could read "ftp://whatever//#./" instead of "ftp://whatever//.#./" . >Finally if you tape very slowly in the address field this url, It crash >also IE, That's why i suppose that IE 4 is not vulnerable to this. > >I have make more investigation and find out this : > >) it's a call of msieftp.dll who cause the crash. i have determine this >by using a debugger >according to the following code : > >7120B8D3 push dword ptr [ebp+14h] >7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash >7120B8DC cmp byte ptr [eax],0 >7120B8DF jne 7120B93A >7120B8E1 lea eax,[ebp+8] >7120B8E4 push eax ><--snipe --> >7120B93A mov eax,edi >7120B93C pop edi >7120B93D pop esi >7120B93E leave >7120B93F ret 14h >7120B942 push ebp >7120B943 mov ebp,esp > >It doesn't seems to been exploitable to me, but may be you will find >something.
This archive was generated by hypermail 2b30 : Mon May 07 2001 - 16:08:13 PDT