Re: [bug]: Cause IE 5.X to crash

[Scott Fagg <scott.fagg () ARUP COM AU>]

IE5.5 SP1 on nt4 SP6 .. no crash.

Entered ftp://... in location bar and created page with ftp:/... link. In both cases IE did not crash just appeared to 
take a while to look up hostname.

Change url to ftp://1.2.3.4/.#./ where 1.2.3.4 is an anon ftp server on our LAN, and IE dutifully connects and 
retrieves the contents of the root dir of the ftp server.



> > > Arthur Barton <arthurb () DOCUMENTA COM AU> 7/5/01 11:49:54 am >>>
Win98 4.10.1998
ie 6.00.2462.0000

start -> run -> ftp://whatever//.#. -> enter
or
start -> run -> ftp.whatever//.#. -> enter
causes iexplore.exe to crash

location bar -> ftp://whatever//.#. -> enter
or
location bar -> ftp.whatever//.#. -> enter
in either explorer.exe or iexpore.exe causes either to crash

ftp://ftp.valid.ftp.server//.#. -> enter
also causes a crash

<meta http-equiv="refresh" content="0; URL=ftp://whatever//.#.";>
all running instances of iexplore.exe crash

#!/usr/bin/perl
print "Location: ftp://whatever//.#.\n\n";;
results in "Cannot find server"

hmm.
hth..

At 08:07  7/05/01 +0800, Uidam, T (Tim) wrote:
> NOT Vulnerable on IE 5.5 SP1 (no hotfixes) on WinNT 4 SP5.
>
> Nope, not even the tiniest glitch. If a valid FTP address is put in place of
> "whatever" it simply displays the FTP root in the browser window.
>
> Running ftp://whatever/.#./ from Start/Run launches IE, and displays "cannot
> Find Server" with ftp://whatever// in the address bar.
>
>
> Hope this helps! :)
>
> Tim.
>
> -----Original Message-----
> From: Elie Aka Lupin Bursztein [mailto:secu () BURSZTEIN NET] 
> Sent: Saturday, 5 May 2001 8:35
> To: VULN-DEV () SECURITYFOCUS COM 
> Subject: [bug]: Cause IE 5.X to crash
>
>
> hello,
> I have discover the last week end the following bug :
>
> Synopsis
> --------------
>
> By putting this malformed link on a web page a malicious
> user could crash all the IE windows. It also work by passing the link
> directly into the address field of IE.
>
> Affected version :
> -----------------------
>
> IE 5.5 sp1 for WIN 98 / 98 SE /2000 / 2000 sp1
> IE 5.5 for WIN 98 / 98 SE /2000 / 2000 sp1
> IE 5.0 for WIN 98 / 98 SE /2000 / 2000 sp1
>
> not affected
>
> IE 5.0 For Mac
>
> not tested on :
>
> Win 95 , Win ME
>
> The Bug :
> -------------
>
> the following url Crash IE : "ftp://whatever//.#./";
>
>
> Vendor status
> ---------------------
>
> Microsoft has been notice during the week and they have told me that the
> bug will be fix in the next Service pack.
>
> Details
> ----------
>
> First it doesn't work with http:// . We could also notify that when we put
> this link in a web page and we select it and trie to copy the link we get
> "ftp://whatever//#./"; instead of "ftp://whatever//.#./"; . Of course
> "ftp://whatever//#./"; crash IE as well... It is the same for the status bar
> : we could read "ftp://whatever//#./"; instead of "ftp://whatever//.#./"; .
> Finally if you tape very slowly in the address field this url, It crash
> also IE, That's why i suppose that IE 4 is not vulnerable to this.
>
> I have make more investigation and find out this :
>
> ) it's a call of msieftp.dll who cause the crash. i have determine this
> by using a debugger
> according to the following code :
>
> 7120B8D3 push dword ptr [ebp+14h]
> 7120B8D6 call dword ptr ds:[712012D8h] //this is what cause the crash
> 7120B8DC cmp byte ptr [eax],0
> 7120B8DF jne 7120B93A
> 7120B8E1 lea eax,[ebp+8]
> 7120B8E4 push eax
> <--snipe -->
> 7120B93A mov eax,edi
> 7120B93C pop edi
> 7120B93D pop esi
> 7120B93E leave
> 7120B93F ret 14h
> 7120B942 push ebp
> 7120B943 mov ebp,esp
>
> It doesn't seems to been exploitable to me, but may be you will find
> something.