Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: .MHT Buffer Overflow in Internet Explorer
From: Jouko Pynnonen <jouko () solutions fi>
Date: Wed, 12 Mar 2003 00:05:55 +0200 (EET)




On 10 Mar 2003, Tom Tanaka wrote:

CANON SYSTEM SOLUTIONS INC. Security Alert

VULNERABILITY:.MHT Buffer Overflow in Internet Explorer

DATE FOUND:March 2, 2003

Severity:High Risk(code can be executed remotely) 


[snip]


The following error will occur when the above file is browsed by IE5.

Unhandled exception in iexplore.exe: 0xC0000005: Access Violation.



By debugging through the crash dump, the exception error is generated at 
the EIP(32-bit Instruction Pointer)=74CF497E called from inetcomm.dll to 
Kernel32.

Register
EAX = 00000000 EBX = 05AD3A20 ECX = 001FE074 EDX = 001FE190 
ESI = 05AD39D8 EDI = 00000000 [EIP = 74CF497E] ESP = 0607B2BC 
EBP = 0607B2FC EFL = 00000246


[snip]


74cf497b 8b461c             mov     eax,dword ptr [esi+1c]
74cf497e 8b08               mov     ecx,dword ptr [eax] //Exception




At first glance, doesn't this look like a null pointer reference bug 
rather than a buffer overflow? The message didn't (clearly) specify which 
four bytes of memory the attacker could overwrite and how it would be 
possible to gain control of the program flow. Since you have classified 
this as critical, perhaps you could clarify these points? Does there 
exist a working exploit which does something else than crash IE? Thanks,




-- 
Jouko Pynnonen          Online Solutions Ltd      Secure your Linux -
jouko () solutions fi                                http://www.secmod.com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault