Re: DoS - Microsoft Internet Explorer 6.0 SP1 OBJECT tag bug

["Matthew Murphy" <mattmurphy () kc rr com>]

> Hi,
>
> I have uncovered a bug in IE:
>
> *Description*
> Microsoft Internet Explorer 6.0 (other versions not tested) is vulnerable
> to a DoS when specially crafted html is present on a page.  The
> vulnerability is in the processing of the OBJECT tag where the data
attribute
> points to the same page as object tag.  This causes IE's stack to
overflow.

[snip]

This is so old it's not even funny.  I discovered this about a year ago
(4/20/2002), and posted it.  Then, doing additional research, I discovered
it had already been found by several others before me.  You don't even have
to make it as advanced as you did.  Just doing this:

<OBJECT TYPE="text/html" DATA="#" />

Is more than sufficient.  Windows 2000 SP3 (and, possibly, Windows XP SP1)
includes a patch for a particularly interesting variant on this.  By
specially crafting a desktop.ini and folder.htt pair on a network-accessible
share, it is possible to cause the Windows Shell to infinite loop, denying
service to the system.  This is because of the crash impact mitigation in
Windows explorer since 98.  If Explorer dies, it is immediately restarted --
with all the old folders open.  When it parses the folder template, it
crashes again... the cycle continues.  MSRC refused to patch the bug at its
source, and instead created a warning in Win2KSP3 that warns before allowing
the shell to parse .HTT's over a network share.  How lame. :-(

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html