MS Internet Exprorer URL buffer overflow using Greek characters.

From: MegaHz (costconat_private)
Date: Sat May 26 2001 - 00:28:00 PDT

  • Next message: Doru Petrescu: "Re: problem with C and Gcc 2.95.3"

    Today 25/5/2001 I discovered a buffer overflow in an old IE v5.00.2314.1003,
    I have at the office, don't know if it exists on other versions of IE too,
    or with other languages, please let me know if it does.
    
    If you put a long url (I used 2.041 chars) using greek characters, in the
    "http://", "about:", "gopher://".
    
    
    For example:
    about:ááááááááááááááááááááááááá[2.041 GREEK CHARS]âââââââââââââââââââá
    
    http://\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\[2.041 GREEK CHARS]äááá
    
    gopher://\\\\\\\\\\\\\\\\\\[2.041 GREEK CHARS]ááääääääääääääóóóóóóóååå
    
    
    Then IE crashes with the following error:
    ============================================================================
    
    IEXPLORE caused an invalid page fault in
    module BROWSEUI.DLL at 015f:710283c0.
    Registers:
    EAX=cececece CS=015f EIP=710283c0 EFLGS=00010282
    EBX=00000000 SS=0167 ESP=0058a054 EBP=0058bce0
    ECX=817364ec DS=0167 ESI=0058b8d0 FS=3897
    EDX=00000000 ES=0167 EDI=00000000 GS=0000
    Bytes at CS:EIP:
    ff 70 08 ff 75 0c ff 15 a0 14 02 71 89 5d f8 8d
    Stack dump:
    cececece 00421464 00420858 00000000 00620061 0075006f 003a0074 00b100ce
    00b100ce 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce
    
    ============================================================================
    
    And after that:
    "There was an internal error and one of the windows you were using will be
    closed it is recommended that you save your work, close all programs and
    then restart your computer."
    
    And IE closes.
    However only the active IE window shuts down.
    
    The problem does not happens if you use english, please let me know about
    other languages.
    
    ============================================================================
    I don't know why, but "ftp://" is not vulnerable...
    
    
    
    
    
    I've tested it a lot of times....
    
    
    
    =======================================================================
    Discovered by:     Andreas Constantinides (MegaHz)
                                Administrator of:
                                cHp - http://www.cyhackportal.com
                                megahzat_private
    =======================================================================
    



    This archive was generated by hypermail 2b30 : Sat May 26 2001 - 13:33:44 PDT