Full Disclosure mailing list archives
RE: Internet Explorer Remote Null Pointer Crash(mshtml.dll)
From: "Thor Larholm" <thor () pivx com>
Date: Tue, 15 Jun 2004 10:02:28 -0700
Manually right-clicking and selecting "Save target as" invokes the download functionality. This can also be automatically triggered by redirecting with a META tag to a server script that sets Content-Type and Content-Disposition headers to an unknown MIME-type which causes the "Open/Save As" dialog box to be triggered during which time IE automatically tries to initiate the download and create the appropriate files in the TIF (Temporary Internet Files), just like the "Save target as" functionality does. IE automatically initiates the download of any file with an unknown MIME-type and starts storing this file in the TIF, before the user has selected whether to Open, Save or Cancel the download. If the user cancels, the file is deleted. This has already been used to plant arbitrary files in predictable locations and leads to a race condition where you can cross the security zone boundaries using other vulnerabilities in the timeframe between the download is forcefully initiated to the time where the user cancels the download. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor () pivx com Stock symbol: (PIVX) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: Berend-Jan Wever [mailto:SkyLined () edup tudelft nl] Sent: Monday, June 14, 2004 6:34 PM To: full-disclosure () lists netsys com; vulnwatch () vulnwatch org Subject: Re: [Full-disclosure] Internet Explorer Remote Null Pointer Crash(mshtml.dll) Doesn't look like a null pointer to me, especially since it crashes while reading 800c0005... I think it's a format string vulnerability, causing ntdll.RtlFormatMessage to call ntdll._snwprintf with your href. Might be exploitable, I'll have a look... Cheers, SkyLined ----- Original Message ----- From: "Rafel Ivgi, The-Insider" <theinsider () 012 net il> To: "vulnwatch" <vulnwatch () vulnwatch org> Sent: Monday, June 14, 2004 23:20 Subject: [Full-disclosure] Internet Explorer Remote Null Pointer Crash(mshtml.dll)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Application: Internet Explorer Vendors: http://www.microsoft.com Versions: 6.0.2800.1106.xpclnt_qfe.021108-2107 Patched With: SP1;Q832894;Q330994;Q837009;Q831167; ModName: mshtml.dll ModVer: 6.0.2734.1600 Platforms: Windows Bug: Remote/Local Null Pointer Crash Exploitation: Remote with browser Date: 14 Jun 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider () mail com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ =============== 1) Introduction =============== Internet Explorer is currently the most common internet browser in the
world. It comes by default with every windows operating system. Therefore any vulnerability concerning it is an highly important issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ ====== 2) Bug ====== Upon clicking "Save As" on a link with double colon --> "::" and a left curly bracket --> "{" then Internet Explorer Will Crash. AppName: iexplore.exe AppVer: 6.0.2600.0 ModName: ntdll.dll ModVer: 5.1.2600.114 Offset: 00056074 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ =========== 3) The Code =========== Paste into an htm/html file: <center><a href=::%7b>Right Click aOn Me And Click "Save Target As"</a> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Scripts and Codes will make me D.O.S , but they will never HACK me." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Internet Explorer Remote Null Pointer Crash(mshtml.dll) Rafel Ivgi, The-Insider (Jun 14)
- Re: Internet Explorer Remote Null Pointer Crash(mshtml.dll) Berend-Jan Wever (Jun 14)
- <Possible follow-ups>
- RE: Internet Explorer Remote Null Pointer Crash(mshtml.dll) Thor Larholm (Jun 15)
- RE: Internet Explorer Remote Null Pointer Crash(mshtml.dll) http-equiv () excite com (Jun 15)