lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <002701c4e6fd$9fee85a0$0100a8c0@grotedoos> From: skylined at edup.tudelft.nl (Berend-Jan Wever) Subject: Re: Windows Explorer TGA Crash is a DoS bug in Internet Explorer. I thought it looked familiar: http://lists.netsys.com/pipermail/full-disclosure/2004-May/021272.html It'll probably never get fixed. Berend-Jan Wever <skylined@...p.tudelft.nl> http://www.edup.tudelft.nl/~bjwever SkyLined in #SkyLined on EFNET PGP key ID: 0x48479882 ----- Original Message ----- From: "Berend-Jan Wever" <skylined@...p.tudelft.nl> To: <full-disclosure@...ts.netsys.com>; <bugtraq@...urityfocus.com> Sent: Tuesday, December 21, 2004 02:20 Subject: Re: Windows Explorer TGA Crash is a DoS bug in Internet Explorer. Tested on win2ksp4, IE6.0sp1 fully patched (hmmm... not really "fully" obviously ;)) It's a DoS, nothing exploitable. Explorer let's IE do the rendering in "thumbnail" previes mode. IE creates a HTML page and crashes while creating or rendering it. Same bug can be triggered easier with following HTML code: <HTLM><BODY><IFRAME src="file://?:/filename"></BODY></HTML> CharLowerA doesn't handle the 0xFE byte very well since it is converted to a signed int (0xFFFFFFFE). It then scans memory at 0xFFFFFFFE which causes an exception. Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012A2D8 1A441D6D USER32.CharLowerA urlmon.1A441D67 0012A2D4 0012A2DC FFFFFFFE StringOrChar = FE ('?') 0012A2E4 1A442F6E urlmon.1A441D5E urlmon.1A442F69 0012A440 0012A444 1A4464AC urlmon.1A442D7F urlmon.1A4464A7 0012A440 0012A708 636076D2 Includes urlmon.1A4464AC mshtml.636076CF 0012A704 0012C730 637A9D9E mshtml.636075B0 mshtml.637A9D99 0012C72C 0012E78C 637AA644 mshtml.637A9B52 mshtml.637AA63F 0012E788 0012E7FC 63795160 mshtml.637AA363 mshtml.6379515B 0012E7F8 0012E800 63789AE1 Includes mshtml.63795160 mshtml.63789ADE Cheers, Berend-Jan Wever <skylined@...p.tudelft.nl> http://www.edup.tudelft.nl/~bjwever SkyLined in #SkyLined on EFNET PGP key ID: 0x48479882 ----- Original Message ----- From: "Bill" <Bill@...tracon.com> To: <bugtraq@...urityfocus.com> Sent: Sunday, December 19, 2004 00:57 Subject: Windows Explorer TGA Crash > I've found a TGA file that crashes Windows Explorer when Explorer tries > to generate a preview for it. I'm not expert in this area, so I don't > know if this could be used as a way to run arbitrary code. However I've > attached the broken TGA, in zip format, in hopes that someone else can > figure out what this does. > > ~Bill >
Powered by blists - more mailing lists