Re: Small bug crashes OEFrom: Berend-Jan Wever (email@example.com)
- Previous message: Mark Anderson: "Final Speakers for HiverCon 2002 Announced"
- In reply to: Kilian CAVALOTTI: "Re: Small bug crashes OE"
- Next in thread: David Komanek: "Re: Small bug crashes OE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Berend-Jan Wever" <firstname.lastname@example.org> To: <email@example.com> Date: Wed, 11 Sep 2002 12:11:12 +0200
Outlook Express (version 6.00.2600.0000) is vulnerable, the bug is in
mshtml.dll (version 6.0.2719.2200)
This looks like a unicode off-by-one: The code puts a unicode 0 behind the
href to terminate the string. The buffer for href is limited to 8192 bytes,
4096 unicode chars. This 0 is put behind the last char to terminate causing
a word after the buffer to be overwritten with 0x0000. This word is part of
a saved ebp. When ebp is poped off the stack, the least significant two
bytes have been overwritten with 0, later on eax is set to "ebp-8" and this
causes an exception:
635ddb9f 8908 mov [eax],ecx ([0005fff8]=????????)
The only thing you can accomplish with this is a partially overwrite ebp, it
does not seem exploitable other then a DoS to me.
----- Original Message -----
From: Kilian CAVALOTTI
To: Raistlin ; BugTraq
Sent: Tuesday, September 10, 2002 6:19
Subject: Re: Small bug crashes OE
-----BEGIN PGP SIGNED MESSAGE-----
> It's not difficult to exploit this vuln. Please find enclosed a
> simple e-mail which should crash the mailer. Let me know if this does
> not happen on international versions, or with strange patches
It does not affect my system (Windows XP SP1 build
2600.xpsp1.020828-1920 - IE6 SP1 6.0.2600.1106.xpsp1.020828-1920). I can
simply open the example message you provide, edit its source, preview
it, and send it, with no problem at all : no freeze, no hang up, no slow
down, no crash.
Seems to be more a OS related problem, than a browser one.
Kilian CAVALOTTI | GPGKeyId: 0xD657340C
BOFH excuse #165:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893
-----END PGP SIGNATURE-----