Bugtraq mailing list archives
Re: .MHT Buffer Overflow in Internet Explorer
From: Jouko Pynnonen <jouko () solutions fi>
Date: Wed, 12 Mar 2003 00:05:55 +0200 (EET)
On 10 Mar 2003, Tom Tanaka wrote:
CANON SYSTEM SOLUTIONS INC. Security Alert VULNERABILITY:.MHT Buffer Overflow in Internet Explorer DATE FOUND:March 2, 2003 Severity:High Risk(code can be executed remotely)
[snip]
The following error will occur when the above file is browsed by IE5. Unhandled exception in iexplore.exe: 0xC0000005: Access Violation. By debugging through the crash dump, the exception error is generated at the EIP(32-bit Instruction Pointer)=74CF497E called from inetcomm.dll to Kernel32. Register EAX = 00000000 EBX = 05AD3A20 ECX = 001FE074 EDX = 001FE190 ESI = 05AD39D8 EDI = 00000000 [EIP = 74CF497E] ESP = 0607B2BC EBP = 0607B2FC EFL = 00000246
[snip]
74cf497b 8b461c mov eax,dword ptr [esi+1c] 74cf497e 8b08 mov ecx,dword ptr [eax] //Exception
At first glance, doesn't this look like a null pointer reference bug rather than a buffer overflow? The message didn't (clearly) specify which four bytes of memory the attacker could overwrite and how it would be possible to gain control of the program flow. Since you have classified this as critical, perhaps you could clarify these points? Does there exist a working exploit which does something else than crash IE? Thanks, -- Jouko Pynnonen Online Solutions Ltd Secure your Linux - jouko () solutions fi http://www.secmod.com
Current thread:
- .MHT Buffer Overflow in Internet Explorer Tom Tanaka (Mar 11)
- Re: .MHT Buffer Overflow in Internet Explorer jelmer (Mar 11)
- Re: .MHT Buffer Overflow in Internet Explorer Thor Larholm (Mar 12)
- Re: .MHT Buffer Overflow in Internet Explorer Jouko Pynnonen (Mar 11)
- <Possible follow-ups>
- Re: .MHT Buffer Overflow in Internet Explorer http-equiv () excite com (Mar 11)
- Re: .MHT Buffer Overflow in Internet Explorer jelmer (Mar 11)