MS Internet Exprorer URL buffer overflow using Greek characters.

From: MegaHz (costconat_private)
Date: Sat May 26 2001 - 00:28:00 PDT

Next message: Doru Petrescu: "Re: problem with C and Gcc 2.95.3"

Previous message: Yuri Polyansky: "Re: problem with C and Gcc 2.95.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Today 25/5/2001 I discovered a buffer overflow in an old IE v5.00.2314.1003,
I have at the office, don't know if it exists on other versions of IE too,
or with other languages, please let me know if it does.

If you put a long url (I used 2.041 chars) using greek characters, in the
"http://", "about:", "gopher://".


For example:
about:ááááááááááááááááááááááááá[2.041 GREEK CHARS]âââââââââââââââââââá

http://\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\[2.041 GREEK CHARS]äááá

gopher://\\\\\\\\\\\\\\\\\\[2.041 GREEK CHARS]ááääääääääääääóóóóóóóååå


Then IE crashes with the following error:
============================================================================

IEXPLORE caused an invalid page fault in
module BROWSEUI.DLL at 015f:710283c0.
Registers:
EAX=cececece CS=015f EIP=710283c0 EFLGS=00010282
EBX=00000000 SS=0167 ESP=0058a054 EBP=0058bce0
ECX=817364ec DS=0167 ESI=0058b8d0 FS=3897
EDX=00000000 ES=0167 EDI=00000000 GS=0000
Bytes at CS:EIP:
ff 70 08 ff 75 0c ff 15 a0 14 02 71 89 5d f8 8d
Stack dump:
cececece 00421464 00420858 00000000 00620061 0075006f 003a0074 00b100ce
00b100ce 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce 00b100ce

============================================================================

And after that:
"There was an internal error and one of the windows you were using will be
closed it is recommended that you save your work, close all programs and
then restart your computer."

And IE closes.
However only the active IE window shuts down.

The problem does not happens if you use english, please let me know about
other languages.

============================================================================
I don't know why, but "ftp://" is not vulnerable...





I've tested it a lot of times....



=======================================================================
Discovered by:     Andreas Constantinides (MegaHz)
                            Administrator of:
                            cHp - http://www.cyhackportal.com
                            megahzat_private
=======================================================================

Next message: Doru Petrescu: "Re: problem with C and Gcc 2.95.3"
Previous message: Yuri Polyansky: "Re: problem with C and Gcc 2.95.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 26 2001 - 13:33:44 PDT