[NT] IE and OE Cannot Handle Malformed XBM Files
From: support@securiteam.comDate: 05/02/02
- Previous message: support@securiteam.com: "[NT] Spooky Login SQL Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 2 May 2002 10:16:37 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
IE and OE Cannot Handle Malformed XBM Files
------------------------------------------------------------------------
SUMMARY
Internet Explorer allows the usage of XBM graphic files and tries to
display them whenever they are used in any HTML file [as IMG tag] or when
attached to an e-mail. A vulnerability in the way Internet Explorer
handles malformed XBM files has been found, the vulnerability would allow
a malicious user to cause the IE to crash whilst consuming a large amount
of CPU and memory (which is not freed upon the completion of the crash).
DETAILS
Vulnerable systems:
* Internet Explorer 5.5
* Internet Explorer 6.0
* Outlook Express 5.0
* Outlook Express 6.0
XBM structure is very easy it is a text file with C-like syntax and for
example looks like
#define picture_width ?? // picture width
#define picture_height ?? // picture width height
static unsigned char picture_bits[] = { //hex picture data );
IE doesn't check properly the content of XBM files and you may force the
browser/e-mail client to hang up that will end up in their silent exit
because of the Access Violation exception [as shown with a great help of
windbg, it is generated inside mshtml.dll].
IE does not check the width and height of the image, so you may write
whatever you want and IE will try to interpret it, trying to allocate
enough memory for an oversized buffer.
When previewed for example in Outlook Express, malformed e-mail may force
this client to exit (and others that rely on IE).
Demonstration:
For an example of such malformed e-mail, download one from here:
<http://www.sztolnia.pl/hack/xbmbug/xbmbug.eml>
http://www.sztolnia.pl/hack/xbmbug/xbmbug.eml
ADDITIONAL INFORMATION
The information has been provided by <mailto:ckkl@poczta.wp.pl> Adam
[wp-ckkl].
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Spooky Login SQL Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
