Bugtraq mailing list archives

Internet Explorer 5.0 & AOL Instant Messenger 3.x (latest version) Bug forcing Win98 to crash remotely

From: webmaster () DOC2000 DE (webmaster)
Date: Thu, 23 Sep 1999 00:53:00 +0200


Internet Explorer 5.0 & AOL Instant Messenger 3.x (latest version) Bug
forcing Win98 to crash remotely

Description:

US Version of Internet Explorer 5.0 does not know the german characters like
"ü", "ö", "ä". When you move your mousepointer over such a link containing
such characters as URL, your mousepointer will not become a pointing hand.
That is the reason why IE5 will not try to load that website. But since AOL
Instant Messenger is capable of HTML when you insert a link like that, IE5
will be given the URL as a parameter and not able to interpret it. This
makes AIM eat up all available memory and makes Win98's VMM and TCP VxD
crash by bufferoverflowing it with the non interpretable URL string.

Problem:

Aim probably uses a line similar to this for loading URL:

ShellExecute( 0, "open", "http://www.yourdomain.com";, NULL, NULL,
SW_NORMAL );

The problem is that AIM does not check for

1) length

2) Although it asks you about "illegal characters", it permits you to use
them. But because IE can not interpret them (as AIM does using the URL as a
StringVar), IE can't and it fails and results a systemcrash.

For demonstration and FULL details visit :
http://www.doc2000.de/ie5_bug.htm

Contact at: webmaster () doc2000 de

Current thread:

Two SuSE 6.2 local root exploits, (continued)
- - - Two SuSE 6.2 local root exploits Brock Tellier (Sep 16)
    - SuSE 6.2 /usr/bin/sccw read any file Brock Tellier (Sep 16)
    - Fw: CERT Advisory CA-99.12 - Buffer Overflow in amd morex (Sep 16)
    - More fun with WWWBoard David Weins (Sep 17)
    - Re: More fun with WWWBoard Chris Ridd (Sep 20)
    - Re: More fun with WWWBoard Mark Jeftovic (Sep 21)
    - Re: More fun with WWWBoard Patrick Oonk (Sep 22)
    - Re: More fun with WWWBoard Speed (Sep 24)
    - Re: More fun with WWWBoard Mark Jeftovic (Sep 26)
    - Microsoft Security Bulletin (MS99-037) Aleph One (Sep 25)
    - Internet Explorer 5.0 & AOL Instant Messenger 3.x (latest version) Bug forcing Win98 to crash remotely webmaster (Sep 22)
    - Re: Internet Explorer 5.0 & AOL Instant Messenger 3.x (latest version) Bug forcing Win98 to crash remotely Peter Haglund (Sep 24)
    - Re: More fun with WWWBoard Vladimir Dubrovin (Sep 21)
    - SCO 5.0.x scosession local exploit Brock Tellier (Sep 22)
    - Re: More fun with WWWBoard Ben Laurie (Sep 23)
    - SuSE 6.2 sccw overflow exploit Brock Tellier (Sep 23)
    - Security Bulletins Digest Aleph One (Sep 20)
    - Microsoft Security Bulletin (MS99-038) Aleph One (Sep 20)
    - FreeBSD Security Advisory: FreeBSD-SA-99:06.amd Aleph One (Sep 20)
    - socket buffer DoS/administrative limits (fwd) Brian F. Feldman (Sep 17)
    - A few bugs... Tymm Twillman (Sep 17)

(Thread continues...)