[NT] Internet Explorer onError DoS

From: support@securiteam.com
Date: 04/26/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 26 Apr 2002 09:14:12 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Internet Explorer onError DoS
------------------------------------------------------------------------

SUMMARY

Internet Explorer has an event to handle an error induced by the inability
to load a certain picture into the client's window. By causing an
intentional error and making the onError event create another such
intentional error it is possible to cause Internet Explorer to enter into
a loop causing it to overflow its stack segment, causing a denial of
service attack.

DETAILS

Affected software:
Every version of Internet Explorer up to 6.0

Example:
<IMG src="::" onError="this.src='::';">

What this example does:
1) It creates an image with an invalid SRC.
2) IE tries to show the picture but cannot: it fires the onError-event.
3) The onError-event resets the SRC attribute to the same invalid SRC.
4) Caused to loop back to 2.

ADDITIONAL INFORMATION

The information has been provided by <mailto:skylined@edup.tudelft.nl>
Berend-Jan Wever.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.