| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.33.0303112341000.7102-100000@lissu.solutions.fi> Date: Wed, 12 Mar 2003 00:05:55 +0200 (EET) From: Jouko Pynnonen <jouko@...utions.fi> To: Tom Tanaka <tomatell@...on-sol.jp> Subject: Re: .MHT Buffer Overflow in Internet Explorer On 10 Mar 2003, Tom Tanaka wrote: > CANON SYSTEM SOLUTIONS INC. Security Alert > > VULNERABILITY:.MHT Buffer Overflow in Internet Explorer > > DATE FOUND:March 2, 2003 > > Severity:High Risk(code can be executed remotely) [snip] > The following error will occur when the above file is browsed by IE5. > > Unhandled exception in iexplore.exe: 0xC0000005: Access Violation. > > > > By debugging through the crash dump, the exception error is generated at > the EIP(32-bit Instruction Pointer)=74CF497E called from inetcomm.dll to > Kernel32. > > Register > EAX = 00000000 EBX = 05AD3A20 ECX = 001FE074 EDX = 001FE190 > ESI = 05AD39D8 EDI = 00000000 [EIP = 74CF497E] ESP = 0607B2BC > EBP = 0607B2FC EFL = 00000246 [snip] > 74cf497b 8b461c mov eax,dword ptr [esi+1c] > 74cf497e 8b08 mov ecx,dword ptr [eax] //Exception At first glance, doesn't this look like a null pointer reference bug rather than a buffer overflow? The message didn't (clearly) specify which four bytes of memory the attacker could overwrite and how it would be possible to gain control of the program flow. Since you have classified this as critical, perhaps you could clarify these points? Does there exist a working exploit which does something else than crash IE? Thanks, -- Jouko Pynnonen Online Solutions Ltd Secure your Linux - jouko@...utions.fi http://www.secmod.com
Powered by blists - more mailing lists