[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002701c4e6fd$9fee85a0$0100a8c0@grotedoos>
From: skylined at edup.tudelft.nl (Berend-Jan Wever)
Subject: Re: Windows Explorer TGA Crash is a DoS bug in
Internet Explorer.
I thought it looked familiar:
http://lists.netsys.com/pipermail/full-disclosure/2004-May/021272.html
It'll probably never get fixed.
Berend-Jan Wever
<skylined@...p.tudelft.nl>
http://www.edup.tudelft.nl/~bjwever
SkyLined in #SkyLined on EFNET
PGP key ID: 0x48479882
----- Original Message -----
From: "Berend-Jan Wever" <skylined@...p.tudelft.nl>
To: <full-disclosure@...ts.netsys.com>; <bugtraq@...urityfocus.com>
Sent: Tuesday, December 21, 2004 02:20
Subject: Re: Windows Explorer TGA Crash is a DoS bug in Internet Explorer.
Tested on win2ksp4, IE6.0sp1 fully patched (hmmm... not really "fully" obviously ;))
It's a DoS, nothing exploitable. Explorer let's IE do the rendering in "thumbnail" previes mode. IE creates a HTML page and crashes while creating or rendering it. Same bug can be triggered easier with following HTML code:
<HTLM><BODY><IFRAME src="file://?:/filename"></BODY></HTML>
CharLowerA doesn't handle the 0xFE byte very well since it is converted to a signed int (0xFFFFFFFE). It then scans memory at 0xFFFFFFFE which causes an exception.
Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0012A2D8 1A441D6D USER32.CharLowerA urlmon.1A441D67 0012A2D4
0012A2DC FFFFFFFE StringOrChar = FE ('?')
0012A2E4 1A442F6E urlmon.1A441D5E urlmon.1A442F69 0012A440
0012A444 1A4464AC urlmon.1A442D7F urlmon.1A4464A7 0012A440
0012A708 636076D2 Includes urlmon.1A4464AC mshtml.636076CF 0012A704
0012C730 637A9D9E mshtml.636075B0 mshtml.637A9D99 0012C72C
0012E78C 637AA644 mshtml.637A9B52 mshtml.637AA63F 0012E788
0012E7FC 63795160 mshtml.637AA363 mshtml.6379515B 0012E7F8
0012E800 63789AE1 Includes mshtml.63795160 mshtml.63789ADE
Cheers,
Berend-Jan Wever
<skylined@...p.tudelft.nl>
http://www.edup.tudelft.nl/~bjwever
SkyLined in #SkyLined on EFNET
PGP key ID: 0x48479882
----- Original Message -----
From: "Bill" <Bill@...tracon.com>
To: <bugtraq@...urityfocus.com>
Sent: Sunday, December 19, 2004 00:57
Subject: Windows Explorer TGA Crash
> I've found a TGA file that crashes Windows Explorer when Explorer tries
> to generate a preview for it. I'm not expert in this area, so I don't
> know if this could be used as a way to run arbitrary code. However I've
> attached the broken TGA, in zip format, in hopes that someone else can
> figure out what this does.
>
> ~Bill
>
Powered by blists - more mailing lists