Today 25/5/2001 I discovered a buffer overflow in an old IE v5.00.2314.1003, I have at the office, don't know if it exists on other versions of IE too, or with other languages, please let me know if it does. If you put a long url (I used 2.041 chars) using greek characters, in the "http://", "about:", "gopher://". For example: about:ááááááááááááááááááááááááá[2.041 GREEK CHARS]âââââââââââââââââââá http://\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\[2.041 GREEK CHARS]äááá gopher://\\\\\\\\\\\\\\\\\\[2.041 GREEK CHARS]ááääääääääääääóóóóóóóååå Then IE crashes with the following error: ============================================================================ IEXPLORE caused an invalid page fault in module BROWSEUI.DLL at 015f:710283c0. Registers: EAX=cececece CS=015f EIP=710283c0 EFLGS=00010282 EBX=00000000 SS=0167 ESP=0058a054 EBP=0058bce0 ECX=817364ec DS=0167 ESI=0058b8d0 FS=3897 EDX=00000000 ES=0167 EDI=00000000 GS=0000 Bytes at CS:EIP: ff 70 08 ff 75 0c ff 15 a0 14 02 71 89 5d f8 8d Stack dump: cececece 00421464 00420858 00000000 00620061 0075006f 003a0074 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce ============================================================================ And after that: "There was an internal error and one of the windows you were using will be closed it is recommended that you save your work, close all programs and then restart your computer." And IE closes. However only the active IE window shuts down. The problem does not happens if you use english, please let me know about other languages. ============================================================================ I don't know why, but "ftp://" is not vulnerable... I've tested it a lot of times.... ======================================================================= Discovered by: Andreas Constantinides (MegaHz) Administrator of: cHp - http://www.cyhackportal.com megahzat_private =======================================================================
This archive was generated by hypermail 2b30 : Sat May 26 2001 - 13:33:44 PDT