Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: [bug]: Cause IE 5.X to crash

Re: [bug]: Cause IE 5.X to crash

From: Arthur Barton <arthurb_at_DOCUMENTA.COM.AU>
Date: Mon, 7 May 2001 11:49:54 +1000

Win98 4.10.1998
ie 6.00.2462.0000

start -> run -> ftp://whatever//.#. -> enter
or
start -> run -> ftp.whatever//.#. -> enter
causes iexplore.exe to crash

location bar -> ftp://whatever//.#. -> enter
or
location bar -> ftp.whatever//.#. -> enter
in either explorer.exe or iexpore.exe causes either to crash

ftp://ftp.valid.ftp.server//.#. -> enter
also causes a crash

<meta http-equiv="refresh" content="0; URL=ftp://whatever//.#.">
all running instances of iexplore.exe crash

#!/usr/bin/perl
print "Location: ftp://whatever//.#.\n\n";
results in "Cannot find server"

hmm.
hth..

At 08:07 7/05/01 +0800, Uidam, T (Tim) wrote:
>NOT Vulnerable on IE 5.5 SP1 (no hotfixes) on WinNT 4 SP5.
>
>Nope, not even the tiniest glitch. If a valid FTP address is put in place of
>"whatever" it simply displays the FTP root in the browser window.
>
>Running ftp://whatever/.#./ from Start/Run launches IE, and displays "cannot
>Find Server" with ftp://whatever// in the address bar.
>
>
>Hope this helps! :)
>
>Tim.
>
>-----Original Message-----
>From: Elie Aka Lupin Bursztein [mailto:secu_at_BURSZTEIN.NET]
>Sent: Saturday, 5 May 2001 8:35
>To: VULN-DEV_at_SECURITYFOCUS.COM
>Subject: [bug]: Cause IE 5.X to crash
>
>
>hello,
>I have discover the last week end the following bug :
>
>Synopsis
>--------------
>
>By putting this malformed link on a web page a malicious
>user could crash all the IE windows. It also work by passing the link
>directly into the address field of IE.
>
>Affected version :
>-----------------------
>
>IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1
>IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1
>IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1
>
>not affected
>
>IE 5.0 For Mac
>
>not tested on :
>
>Win 95 , Win ME
>
>The Bug :
>-------------
>
>the following url Crash IE : "ftp://whatever//.#./"
>
>
>Vendor status
>---------------------
>
>Microsoft has been notice during the week and they have told me that the
>bug will be fix in the next Service pack.
>
>Details
>----------
>
>First it doesn't work with http:// . We could also notify that when we put
>this link in a web page and we select it and trie to copy the link we get
>"ftp://whatever//#./" instead of "ftp://whatever//.#./" . Of course
>"ftp://whatever//#./" crash IE as well... It is the same for the status bar
>: we could read "ftp://whatever//#./" instead of "ftp://whatever//.#./" .
>Finally if you tape very slowly in the address field this url, It crash
>also IE, That's why i suppose that IE 4 is not vulnerable to this.
>
>I have make more investigation and find out this :
>
>) it's a call of msieftp.dll who cause the crash. i have determine this
>by using a debugger
>according to the following code :
>
>7120B8D3 push dword ptr [ebp+14h]
>7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash
>7120B8DC cmp byte ptr [eax],0
>7120B8DF jne 7120B93A
>7120B8E1 lea eax,[ebp+8]
>7120B8E4 push eax
><--snipe -->
>7120B93A mov eax,edi
>7120B93C pop edi
>7120B93D pop esi
>7120B93E leave
>7120B93F ret 14h
>7120B942 push ebp
>7120B943 mov ebp,esp
>
>It doesn't seems to been exploitable to me, but may be you will find
>something.
Received on May 07 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos