Vulnerability Development mailing list archives
Re: [bug]: Cause IE 5.X to crash
From: Scott Fagg <scott.fagg () ARUP COM AU>
Date: Tue, 8 May 2001 08:45:44 +1000
IE5.5 SP1 on nt4 SP6 .. no crash. Entered ftp://... in location bar and created page with ftp:/... link. In both cases IE did not crash just appeared to take a while to look up hostname. Change url to ftp://1.2.3.4/.#./ where 1.2.3.4 is an anon ftp server on our LAN, and IE dutifully connects and retrieves the contents of the root dir of the ftp server.
Arthur Barton <arthurb () DOCUMENTA COM AU> 7/5/01 11:49:54 am >>>
Win98 4.10.1998 ie 6.00.2462.0000 start -> run -> ftp://whatever//.#. -> enter or start -> run -> ftp.whatever//.#. -> enter causes iexplore.exe to crash location bar -> ftp://whatever//.#. -> enter or location bar -> ftp.whatever//.#. -> enter in either explorer.exe or iexpore.exe causes either to crash ftp://ftp.valid.ftp.server//.#. -> enter also causes a crash <meta http-equiv="refresh" content="0; URL=ftp://whatever//.#."> all running instances of iexplore.exe crash #!/usr/bin/perl print "Location: ftp://whatever//.#.\n\n"; results in "Cannot find server" hmm. hth.. At 08:07 7/05/01 +0800, Uidam, T (Tim) wrote:
NOT Vulnerable on IE 5.5 SP1 (no hotfixes) on WinNT 4 SP5. Nope, not even the tiniest glitch. If a valid FTP address is put in place of "whatever" it simply displays the FTP root in the browser window. Running ftp://whatever/.#./ from Start/Run launches IE, and displays "cannot Find Server" with ftp://whatever// in the address bar. Hope this helps! :) Tim. -----Original Message----- From: Elie Aka Lupin Bursztein [mailto:secu () BURSZTEIN NET] Sent: Saturday, 5 May 2001 8:35 To: VULN-DEV () SECURITYFOCUS COM Subject: [bug]: Cause IE 5.X to crash hello, I have discover the last week end the following bug : Synopsis -------------- By putting this malformed link on a web page a malicious user could crash all the IE windows. It also work by passing the link directly into the address field of IE. Affected version : ----------------------- IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1 IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1 IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1 not affected IE 5.0 For Mac not tested on : Win 95 , Win ME The Bug : ------------- the following url Crash IE : "ftp://whatever//.#./" Vendor status --------------------- Microsoft has been notice during the week and they have told me that the bug will be fix in the next Service pack. Details ---------- First it doesn't work with http:// . We could also notify that when we put this link in a web page and we select it and trie to copy the link we get "ftp://whatever//#./" instead of "ftp://whatever//.#./" . Of course "ftp://whatever//#./" crash IE as well... It is the same for the status bar : we could read "ftp://whatever//#./" instead of "ftp://whatever//.#./" . Finally if you tape very slowly in the address field this url, It crash also IE, That's why i suppose that IE 4 is not vulnerable to this. I have make more investigation and find out this : ) it's a call of msieftp.dll who cause the crash. i have determine this by using a debugger according to the following code : 7120B8D3 push dword ptr [ebp+14h] 7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash 7120B8DC cmp byte ptr [eax],0 7120B8DF jne 7120B93A 7120B8E1 lea eax,[ebp+8] 7120B8E4 push eax <--snipe --> 7120B93A mov eax,edi 7120B93C pop edi 7120B93D pop esi 7120B93E leave 7120B93F ret 14h 7120B942 push ebp 7120B943 mov ebp,esp It doesn't seems to been exploitable to me, but may be you will find something.
Current thread:
- Re: [bug]: Cause IE 5.X to crash Arthur Barton (May 07)
- <Possible follow-ups>
- Re: [bug]: Cause IE 5.X to crash Scott Fagg (May 07)
- Re: [bug]: Cause IE 5.X to crash Nick Jacobsen (May 07)
- Re: [bug]: Cause IE 5.X to crash Uidam, T (Tim) (May 09)
- FW: [bug]: Cause IE 5.X to crash Uidam, T (Tim) (May 10)
- Re: [bug]: Cause IE 5.X to crash Usman Akeju (May 11)
- Re: [bug]: Cause IE 5.X to crash Damian Menscher (May 11)
- Re: [bug]: Cause IE 5.X to crash Uidam, T (Tim) (May 11)