From: thalm at netcabo.pt (Tiago Halm)
Subject: New Microsoft Internet Explorer  mshtml.dll Denial of Service?

My feeling is that the following facts:

- rendering engine of IE, complemented with the "online" download of the
image
- possible malformation of the image

lead to this outcome (browser crash).
There must be some code inside mshtml.dll that "crashes" when parsing the
image.

I get this "Application" event with source "Microsoft Internet Explorer", ID
= 1000:
-------------
Faulting application iexplore.exe, version 6.0.2800.1106, faulting module
mshtml.dll, version 6.0.2800.1226, fault address 0x00180ede. 
-------------

This is not a webbug. I think this is only a transgif for layout (as you put
it).
And IE should take the image as invalid and should not even try to display
it.

Regards,
Tiago Halm

-----Original Message-----
From: nonleft [mailto:nonleft@....net] 
Sent: ter?a-feira, 2 de Setembro de 2003 19:15
To: Tiago Halm; 'Pellmann Paul'; full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll
Denial of Service?


could you figure out if it is a webbug than or just a transgif for layout?

kind regards
nonleft


At 17:36 02.09.2003 +0100, Tiago Halm wrote:
>Paul has a point here, I believe!
>
>After a **lot** of html code "trimming" I came with an offline version 
>of the page like this:
>
>------------------------------------------------------
>2bd125.jpg
>-------------------------------------------------------
>
>and this piece of code does crash my browser (6.0.2800.1106) on windows 
>2000 server all patches and fixes up to date.
>
>NOTE: Every time you **want** the browser to crash, you must delete it 
>from the "Temporary Internet Files" before loading it in your browser.
>
>Although this image (e1x1.gif) is 1x1 GIF, ACDSee Classic calls it a 
>"Bad or unrecognized image header". Does this image, in some way, 
>affects the way IE does the parsing? Seems like it...
>
>Regards,
>Tiago Halm
>
>
>-----Original Message-----
>From: full-disclosure-admin@...ts.netsys.com
>[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Pellmann 
>Paul
>Sent: ter?a-feira, 2 de Setembro de 2003 16:20
>To: 'full-disclosure@...ts.netsys.com'
>Subject: AW: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll
>Denial of Service?
>
>
>This seems to be caused by the 1x1 image 
>http://www.galad.com/frame/e1x1.gif
>used within the page. If I block this URL the IE stops crashing with that
>page.
>
>cu
>Paul
>
>
> > > Its a mail client issue; doesn't happen if you click on
> > > a link from Internet Explorer.
> >
> > No, I am very sure that this happens also, if you follow the link 
> > inside a web page only (without an involving mail client).
> >
> > So go to http://www.counterpane.com/crypto-gram.html , scroll down 
> > and click the link that says "Holger Hasselbach has translated 
> > several issues of Crypto-Gram into German [...]". The error occurs 
> > as described in my original posting.
> >
> > > Your mail headers don't exactly give away your own mail client. 
> > > What would it be?
> >
> > Microsoft Outlook 2002 SP2 on Windows XP Professional
> >
> > Yours,
> >
> > Marc Ruef
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0
> >
> > iQA/AwUBP1Rw4Be5hzJzqVMhEQKFkACeOBaQowm8I6p0P2Fb12C4E2ndwgoAniRK
> > qtApctQA9L1W78qDsE4Puuvz
> > =m0et
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists