Re: Potential overflow in Internet Explorer

[gregory duchemin <c3rb3r () HOTMAIL COM>]

hi,

i noticed and have reported the same flaw on november 8 2000 on vuln-dev
below the original mail i sent.
Gregory


==============
hi,

I dunno if this one was previously reported, when entering an url with
more than 280 chars, MSIE 5.00.2314.1003 crash with a dr watson because of
an access violation.
for example: http://ip/$$$$$.....$$$$$$$ (about 280)
will crash with bad access to address 0x24 0x24 0x24 0x24 (0x24 = ascii $)
it would be easy to insert win32 code inside the URI and force remote
browser to execute it.


note: this happened on NT 4.00.1381 server


Gregory Duchemin
NEUROCOM CANADA


> From: Rio Martin <root () VBME NET>
> Reply-To: root () VBME NET
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: Potential overflow in Internet Explorer
> Date: Tue, 6 Feb 2001 09:45:51 +0700
> MIME-Version: 1.0
> Received: from [66.38.151.7] by hotmail.com (3.2) with ESMTP id
> MHotMailBC49A3AB003340043189422697079E3B0; Tue Feb 06 12:04:00 2001
> Received: from lists.securityfocus.com (lists.securityfocus.com
> [66.38.151.7])by lists.securityfocus.com (Postfix) with ESMTPid
> 012C024D521; Tue,  6 Feb 2001 10:38:30 -0700 (MST)
> Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
> (LISTSERV-TCP/IP release 1.8d) with spool id 24988959 for
> VULN-DEV () LISTS SECURITYFOCUS COM; Tue, 6 Feb 2001 10:38:03 -0700
> Received: from securityfocus.com (mail.securityfocus.com [66.38.151.9]) by
>         lists.securityfocus.com (Postfix) with SMTP id F11D224C494 for
>      <vuln-dev () lists securityfocus com>; Tue,  6 Feb 2001 07:28:07 -0700
>        (MST)
> Received: (qmail 26817 invoked by alias); 6 Feb 2001 14:28:15 -0000
> Received: (qmail 26814 invoked from network); 6 Feb 2001 14:28:15 -0000
> Received: from c001-h008.c001.snv.cp.net (HELO c001.snv.cp.net)
> (209.228.32.122) by mail.securityfocus.com with SMTP; 6 Feb 2001
> 14:28:15 -0000
> Received: (cpmta 15475 invoked from network); 6 Feb 2001 06:30:59 -0800
> Received: from unknown (HELO fastnet02) (203.130.200.104) by smtp.vbme.net
>         (209.228.32.122) with SMTP; 6 Feb 2001 06:30:59 -0800
> From owner-vuln-dev () SECURITYFOCUS COM Tue Feb 06 12:05:16 2001
> Approved-By: BlueBoar () THIEVCO COM
> Delivered-To: vuln-dev () lists securityfocus com
> Delivered-To: VULN-DEV () SECURITYFOCUS COM
> X-Sent: 6 Feb 2001 14:30:59 GMT
> References:  <200102051812.KAA19345 () user7 hushmail com>
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 5.00.2919.6700
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
> Message-ID:  <000f01c09049$e93d60a0$6600a8c0@fastnet02>
> Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM>
>
> Well, i found it after my computer used by my friend about three - four
> weeks ago. I am running IE5.0 SP1, Windows 98 2nd Ed. Dont know what he ve
> done with my computer but I also found that there is a long "A" file in my
> C:\
>
>
> Rio Martin.
> www.rio-martin.com
>
>
> _
> <joetesta () HUSHMAIL COM> wrote:
>
>
> | Rio Martin wrote:
> |
> | >  Sorry,
> | >  But I think this one is already known and quite old ...
> | >
> | >  Rio Martin.
> | >  www.rio-martin.com
> |
> | Even if it is already known and quite old, my machine remains vulnerable
> | although I've applied all patches.
> |
> | So far, no one has been able to reproduce this buffer overflow.  Could
> | any particular person out there experienced with analyzing Internet
> | Explorer help?  (Ahem... Georgi...)  =]
> |
> |         - Joe Testa

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.