lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002701c4e6fd$9fee85a0$0100a8c0@grotedoos>
From: skylined at edup.tudelft.nl (Berend-Jan Wever)
Subject: Re: Windows Explorer TGA Crash is a DoS bug in
	Internet Explorer.

I thought it looked familiar:
http://lists.netsys.com/pipermail/full-disclosure/2004-May/021272.html
It'll probably never get fixed.

Berend-Jan Wever
<skylined@...p.tudelft.nl>
http://www.edup.tudelft.nl/~bjwever
SkyLined in #SkyLined on EFNET
PGP key ID: 0x48479882

----- Original Message ----- 
From: "Berend-Jan Wever" <skylined@...p.tudelft.nl>
To: <full-disclosure@...ts.netsys.com>; <bugtraq@...urityfocus.com>
Sent: Tuesday, December 21, 2004 02:20
Subject: Re: Windows Explorer TGA Crash is a DoS bug in Internet Explorer.


Tested on win2ksp4, IE6.0sp1 fully patched (hmmm... not really "fully" obviously ;))

It's a DoS, nothing exploitable. Explorer let's IE do the rendering in "thumbnail" previes mode. IE creates a HTML page and crashes while creating or rendering it. Same bug can be triggered easier with following HTML code:

<HTLM><BODY><IFRAME src="file://?:/filename"></BODY></HTML>

CharLowerA doesn't handle the 0xFE byte very well since it is converted to a signed int (0xFFFFFFFE). It then scans memory at 0xFFFFFFFE which causes an exception.

Call stack of main thread
Address    Stack      Procedure / arguments                 Called from                   Frame
0012A2D8   1A441D6D   USER32.CharLowerA                     urlmon.1A441D67               0012A2D4
0012A2DC   FFFFFFFE     StringOrChar = FE  ('?')
0012A2E4   1A442F6E   urlmon.1A441D5E                       urlmon.1A442F69               0012A440
0012A444   1A4464AC   urlmon.1A442D7F                       urlmon.1A4464A7               0012A440
0012A708   636076D2   Includes urlmon.1A4464AC              mshtml.636076CF               0012A704
0012C730   637A9D9E   mshtml.636075B0                       mshtml.637A9D99               0012C72C
0012E78C   637AA644   mshtml.637A9B52                       mshtml.637AA63F               0012E788
0012E7FC   63795160   mshtml.637AA363                       mshtml.6379515B               0012E7F8
0012E800   63789AE1   Includes mshtml.63795160              mshtml.63789ADE

Cheers,

Berend-Jan Wever
<skylined@...p.tudelft.nl>
http://www.edup.tudelft.nl/~bjwever
SkyLined in #SkyLined on EFNET
PGP key ID: 0x48479882

----- Original Message ----- 
From: "Bill" <Bill@...tracon.com>
To: <bugtraq@...urityfocus.com>
Sent: Sunday, December 19, 2004 00:57
Subject: Windows Explorer TGA Crash


> I've found a TGA file that crashes Windows Explorer when Explorer tries 
> to generate a preview for it. I'm not expert in this area, so I don't 
> know if this could be used as a way to run arbitrary code. However I've 
> attached the broken TGA, in zip format, in hopes that someone else can 
> figure out what this does.
> 
> ~Bill
>




Powered by blists - more mailing lists