Re: Small bug crashes OE

From: Berend-Jan Wever (
Date: 09/11/02

From: "Berend-Jan Wever" <>
To: <>
Date: Wed, 11 Sep 2002 12:11:12 +0200

Outlook Express (version 6.00.2600.0000) is vulnerable, the bug is in
mshtml.dll (version 6.0.2719.2200)
This looks like a unicode off-by-one: The code puts a unicode 0 behind the
href to terminate the string. The buffer for href is limited to 8192 bytes,
4096 unicode chars. This 0 is put behind the last char to terminate causing
a word after the buffer to be overwritten with 0x0000. This word is part of
a saved ebp. When ebp is poped off the stack, the least significant two
bytes have been overwritten with 0, later on eax is set to "ebp-8" and this
causes an exception:
635ddb9f 8908 mov [eax],ecx ([0005fff8]=????????)
The only thing you can accomplish with this is a partially overwrite ebp, it
does not seem exploitable other then a DoS to me.


----- Original Message -----
From: Kilian CAVALOTTI
To: Raistlin ; BugTraq
Sent: Tuesday, September 10, 2002 6:19
Subject: Re: Small bug crashes OE

Hash: SHA1

Raistlin wrote:
> It's not difficult to exploit this vuln. Please find enclosed a
> simple e-mail which should crash the mailer. Let me know if this does
> not happen on international versions, or with strange patches
> applied.

Hi !

It does not affect my system (Windows XP SP1 build
2600.xpsp1.020828-1920 - IE6 SP1 6.0.2600.1106.xpsp1.020828-1920). I can
simply open the example message you provide, edit its source, preview
it, and send it, with no problem at all : no freeze, no hang up, no slow
down, no crash.

Seems to be more a OS related problem, than a browser one.


- --
Kilian CAVALOTTI | GPGKeyId: 0xD657340C
BOFH excuse #165:
Backbone Scoliosis

Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893