Re: Small bug crashes OE

["Berend-Jan Wever" <skylined () edup tudelft nl>]

Outlook Express (version 6.00.2600.0000) is vulnerable, the bug is in
mshtml.dll (version 6.0.2719.2200)
This looks like a unicode off-by-one: The code puts a unicode 0 behind the
href to terminate the string. The buffer for href is limited to 8192 bytes,
4096 unicode chars. This 0 is put behind the last char to terminate causing
a word after the buffer to be overwritten with 0x0000. This word is part of
a saved ebp. When ebp is poped off the stack, the least significant two
bytes have been overwritten with 0, later on eax is set to "ebp-8" and this
causes an exception:
635ddb9f 8908             mov     [eax],ecx         ([0005fff8]=????????)
The only thing you can accomplish with this is a partially overwrite ebp, it
does not seem exploitable other then a DoS to me.

SkyLined

----- Original Message -----
From: Kilian CAVALOTTI
To: Raistlin ; BugTraq
Sent: Tuesday, September 10, 2002 6:19
Subject: Re: Small bug crashes OE


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Raistlin wrote:
> It's not difficult to exploit this vuln. Please find enclosed a
> simple e-mail which should crash the mailer. Let me know if this does
> not happen on international versions, or with strange patches
> applied.

Hi !

It does not affect my system (Windows XP SP1 build
2600.xpsp1.020828-1920 - IE6 SP1 6.0.2600.1106.xpsp1.020828-1920). I can
simply open the example message you provide, edit its source, preview
it, and send it, with no problem at all : no freeze, no hang up, no slow
down, no crash.

Seems to be more a OS related problem, than a browser one.

HTH,

- --
Kilian CAVALOTTI | GPGKeyId: 0xD657340C
BOFH excuse #165:
Backbone Scoliosis

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893

iD8DBQE9fXLR9H8pBNZXNAwRAssyAJ9zwXFDgvdg5G2mqXp5BD4Sx2ZmjwCfSs70
Kj8sQor6i+MUZBmp5pdM1vU=
=hIsR
-----END PGP SIGNATURE-----