| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <001e01c3051c$87678f00$e62d1c41@basement> From: mattmurphy at kc.rr.com (Matthew Murphy) Subject: DoS - Microsoft Internet Explorer 6.0 SP1 OBJECT tag bug > Hi, > > I have uncovered a bug in IE: > > *Description* > Microsoft Internet Explorer 6.0 (other versions not tested) is vulnerable > to a DoS when specially crafted html is present on a page. The > vulnerability is in the processing of the OBJECT tag where the data attribute > points to the same page as object tag. This causes IE's stack to overflow. [snip] This is so old it's not even funny. I discovered this about a year ago (4/20/2002), and posted it. Then, doing additional research, I discovered it had already been found by several others before me. You don't even have to make it as advanced as you did. Just doing this: <OBJECT TYPE="text/html" DATA="#" /> Is more than sufficient. Windows 2000 SP3 (and, possibly, Windows XP SP1) includes a patch for a particularly interesting variant on this. By specially crafting a desktop.ini and folder.htt pair on a network-accessible share, it is possible to cause the Windows Shell to infinite loop, denying service to the system. This is because of the crash impact mitigation in Windows explorer since 98. If Explorer dies, it is immediately restarted -- with all the old folders open. When it parses the folder template, it crashes again... the cycle continues. MSRC refused to patch the bug at its source, and instead created a warning in Win2KSP3 that warns before allowing the shell to parse .HTT's over a network share. How lame. :-(
Powered by blists - more mailing lists