FW: [bug]: Cause IE 5.X to crash

["Uidam, T (Tim)" <Tim.Uidam () SYD RABOBANK COM>]

-----Original Message-----
From: Johnson, Michael [mailto:Michael.Johnson () ASTStockplan com]
Sent: Monday, 7 May 2001 23:24
To: 'Uidam, T (Tim)'
Subject: RE: [bug]: Cause IE 5.X to crash


Worked here Windows 2000 pro/ IE 5.50.4522.1800

-MJ

-----Original Message-----
From: Uidam, T (Tim) [mailto:Tim.Uidam () SYD RABOBANK COM]
Sent: Sunday, May 06, 2001 8:08 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: [bug]: Cause IE 5.X to crash


NOT Vulnerable on IE 5.5 SP1 (no hotfixes) on WinNT 4 SP5.

Nope, not even the tiniest glitch. If a valid FTP address is put in place of
"whatever" it simply displays the FTP root in the browser window.

Running ftp://whatever/.#./ from Start/Run launches IE, and displays "cannot
Find Server" with ftp://whatever// in the address bar.


Hope this helps! :)

Tim.

-----Original Message-----
From: Elie Aka Lupin Bursztein [mailto:secu () BURSZTEIN NET]
Sent: Saturday, 5 May 2001 8:35
To: VULN-DEV () SECURITYFOCUS COM
Subject: [bug]: Cause IE 5.X to crash


hello,
I have discover the last week end the following bug :

Synopsis
--------------

By putting this malformed link on a web page a malicious
user could crash all the IE windows. It also work by passing the link
directly into the address field of IE.

Affected version :
-----------------------

IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1
IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1
IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1

not affected

IE 5.0 For Mac

not tested on :

Win 95 , Win ME

The Bug :
-------------

the following url Crash IE : "ftp://whatever//.#./";


Vendor status
---------------------

Microsoft has been notice during the week and they have told me that the
bug will be fix in the next Service pack.

Details
----------

First it doesn't work with http:// . We could also notify that when we put
this link in a web page and we select it and trie to copy the link we get
"ftp://whatever//#./"; instead of "ftp://whatever//.#./"; . Of course
"ftp://whatever//#./"; crash IE as well... It is the same for the status bar
: we could read "ftp://whatever//#./"; instead of "ftp://whatever//.#./"; .
Finally if you tape very slowly in the address field this url, It crash
also IE, That's why i suppose that IE 4 is not vulnerable to this.

I have make more investigation and find out this :

) it's a call of msieftp.dll who cause the crash. i have determine this
by using a debugger
according to the following code :

7120B8D3 push dword ptr [ebp+14h]
7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash
7120B8DC cmp byte ptr [eax],0
7120B8DF jne 7120B93A
7120B8E1 lea eax,[ebp+8]
7120B8E4 push eax
<--snipe -->
7120B93A mov eax,edi
7120B93C pop edi
7120B93D pop esi
7120B93E leave
7120B93F ret 14h
7120B942 push ebp
7120B943 mov ebp,esp

It doesn't seems to been exploitable to me, but may be you will find
something.


Elie Aka Lupin Bursztein
------------------------------------------------------------------------
ICQ : 32228319
Web : http://www.bursztein.net
"He feel safe, At this very moment he was lost..."
------------------------------------------------------------------------

==================================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
==================================================================
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.


==================================================================

==================================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
==================================================================
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.


==================================================================