Re: Small bug crashes OE

From: Berend-Jan Wever (
Date: 09/11/02

From: "Berend-Jan Wever" <>
To: <>
Date: Wed, 11 Sep 2002 12:11:12 +0200

Outlook Express (version 6.00.2600.0000) is vulnerable, the bug is in
mshtml.dll (version 6.0.2719.2200)
This looks like a unicode off-by-one: The code puts a unicode 0 behind the
href to terminate the string. The buffer for href is limited to 8192 bytes,
4096 unicode chars. This 0 is put behind the last char to terminate causing
a word after the buffer to be overwritten with 0x0000. This word is part of
a saved ebp. When ebp is poped off the stack, the least significant two
bytes have been overwritten with 0, later on eax is set to "ebp-8" and this
causes an exception:
635ddb9f 8908 mov [eax],ecx ([0005fff8]=????????)
The only thing you can accomplish with this is a partially overwrite ebp, it
does not seem exploitable other then a DoS to me.


----- Original Message -----
From: Kilian CAVALOTTI
To: Raistlin ; BugTraq
Sent: Tuesday, September 10, 2002 6:19
Subject: Re: Small bug crashes OE

Hash: SHA1

Raistlin wrote:
> It's not difficult to exploit this vuln. Please find enclosed a
> simple e-mail which should crash the mailer. Let me know if this does
> not happen on international versions, or with strange patches
> applied.

Hi !

It does not affect my system (Windows XP SP1 build
2600.xpsp1.020828-1920 - IE6 SP1 6.0.2600.1106.xpsp1.020828-1920). I can
simply open the example message you provide, edit its source, preview
it, and send it, with no problem at all : no freeze, no hang up, no slow
down, no crash.

Seems to be more a OS related problem, than a browser one.


- --
Kilian CAVALOTTI | GPGKeyId: 0xD657340C
BOFH excuse #165:
Backbone Scoliosis

Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893


Relevant Pages

  • Re: Reading a Unicode text file
    ... Even though the files are "Unicode", it's possible that one or both ... esoteric) that is causing trouble. ... perhaps you could share some mock files that exhibit the bug. ... Stonehenge Perl Training ...
  • Bug in CryptEnumProviderTypesW under XP SP3
    ... To see the bug, just run the MSDN sample given in the documentation of the ... function CryptEnumProviderTypes on XP SP3 after compiling it in UNICODE. ... DWORD cbName = sizeof; ...
  • Re: IDE Nightmare - Unicode or Ansi is DFM?
    ... > Jeff Overcash (TeamB) wrote: ... >> It is not a bug. ... The switch to Unicode was intentional. ...
  • Re: Char... Unicode version (bug?): what about 2.0?
    ... I'd like to submit what it seems to be a bug as for the Unicode ... For these codes I get the following ... > static private void DumpSingleChar ...
  • Re: "Out of Memory" Error Message When Using a Template
    ... That looks like a bug to me... ... Transferring Unicode TEXT back to an application with very ... If you had external modules registered in your VBA, ... Since it's no longer possible to register OS components in Mac VBA, ...