Bugtraq mailing list archives
Re: IE / Outlook / MS SHLWAPI Render - more trivial crash
From: "Berend-Jan Wever" <SkyLined () edup tudelft nl>
Date: Wed, 23 Apr 2003 14:54:06 +0200
Technical details: IE tries to compare the type of the input field to "HIDDEN", to see if it should be rendered. When there is no type string, a null-pointer is used. mshtml.dll calls shlwapi.dll#158 @ 0x636f0037 with a pointer to a static unicode string "HIDDEN" and a null-pointer. shlwapi.dll#158 does a case-insensitive comparison of two unicode strings: it reads from address 0x0 because of the null-pointer and thus causes an exception. This is not exploitable, other then a DoS because there is no memory mapped @ 0x0 and even if you could load something there, you could only compare it to "HIDDEN" which gets you nowhere. Berend-Jan Wever ----- Original Message ----- From: "Gervaize Maquard" <freestyler () tiscali fr> To: <bugtraq () securityfocus com> Sent: Tuesday, April 22, 2003 22:29 Subject: RE : IE / Outlook / MS SHLWAPI Render - more trivial crash
Original message :Hola: Well, as it seems that is the Microsoft Crash mounth, let see anotherone:--------------------------------- <html> <form> <input type crash> </form> </html> --------------------------------- This will crash IE with the following error: "Unhandled exception in iexplore.exe (SHLWAPI.DLL): 0xC0000005: Access Violation" It's a null pointer overwrite, so it's not easly exploitable...This HTML also crash Outlook, Frontpage, and all the Microsoft programsthat >use the shlwapi.dll library to render web code.Plain HTML is a dangerous language :)Added : It also seems to crash explorer.exe when the .html file containing the code is copied into any folder !! It may work since windows is trying to create a view in Windows explorer. Indeed, it doesn't work when the file is copied in the desktop. Tested on Windows XP with Office XP.
Current thread:
- IE 6.0 - trivial crash - part II Adam [ckkl] (Apr 19)
- IE / Outlook / MS SHLWAPI Render - more trivial crash Ramon Pinuaga Cascales (Apr 22)
- RE : IE / Outlook / MS SHLWAPI Render - more trivial crash Gervaize Maquard (Apr 22)
- Re: IE / Outlook / MS SHLWAPI Render - more trivial crash Berend-Jan Wever (Apr 23)
- RE: RE : IE / Outlook / MS SHLWAPI Render - more trivial crash kajbaf (Apr 29)
- RE : IE / Outlook / MS SHLWAPI Render - more trivial crash Gervaize Maquard (Apr 22)
- IE / Outlook / MS SHLWAPI Render - more trivial crash Ramon Pinuaga Cascales (Apr 22)