lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030902173807.GA409@sentinelchicken.org>
From: tim-security at sentinelchicken.org (Tim)
Subject: New Microsoft Internet Explorer mshtml.dll Denial of Service?

Interesting...

> After a **lot** of html code "trimming" I came with an offline version of
> the page like this:
> 
> ------------------------------------------------------
> <html>
> <body>
> <table border="0" cellspacing="0" cellpadding="0">
> <tr>
>     <td><img src="http://www.galad.com/frame/e1x1.gif" width="1" height="1"
> alt=""></td>
> </tr>
> </table>
> </body>
> </html>
> -------------------------------------------------------
> 
> and this piece of code does crash my browser (6.0.2800.1106)
> on windows 2000 server all patches and fixes up to date.
> 
> NOTE: Every time you **want** the browser to crash, you must delete it from
> the "Temporary Internet Files" before loading it in your browser.
> 
> Although this image (e1x1.gif) is 1x1 GIF, ACDSee Classic calls it a "Bad or
> unrecognized image header".
> Does this image, in some way, affects the way IE does the parsing?
> Seems like it...


Yeah, the GIF image is almost certainly mal-formed.  Not sure in what
way yet, as I am no GIF expert.  Some interesting information though:

Opening it in the GIMP produces the following errors on stderr:

GIF: too much input data, ignoring extra...
GIF: bogus character 0x00, ignoring


The file's contents are:

00000000   47 49 46 38  39 61 01 00  01 00 80 00  00 FF FF FF  GIF89a..........
00000010   FF FF FF 21  F9 04 01 00  00 01 00 2C  00 00 00 00  ...!.......,....
00000020   01 00 01 00  00 02 02 4C  01 00 3B                  .......L..;

I then opened the file in the GIMP, and immediately saved it back to
another gif file, and it wrote:

00000000   47 49 46 38  39 61 01 00  01 00 80 00  00 FF FF FF  GIF89a..........
00000010   00 00 00 21  F9 04 01 00  00 00 00 2C  00 00 00 00  ...!.......,....
00000020   01 00 01 00  00 00 01 01  00 3B                     .........;


Which obviously has some differences.  Anyone else better with GIF89a
than I?

tim


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ