RE: RE : IE / Outlook / MS SHLWAPI Render - more trivial crash

From: kajbaf (kajbaf_at_cse.shirazu.ac.ir)
Date: 04/29/03

  • Next message: Lucas Holt: "Re: Windows Server 2003 Security Guide available"
    To: <bugtraq@securityfocus.com>
    Date: Tue, 29 Apr 2003 21:57:34 +0330
    
    

    > -----Original Message-----
    > From: Gervaize Maquard [mailto:freestyler@tiscali.fr]
    > Sent: Wednesday, April 23, 2003 12:00 AM
    > To: bugtraq@securityfocus.com
    > Subject: RE : IE / Outlook / MS SHLWAPI Render - more trivial crash
    >
    >
    > Original message :
    >
    > >Hola:
    > >Well, as it seems that is the Microsoft Crash mounth, let see another
    > one:
    > >---------------------------------
    > ><html>
    > ><form>
    > ><input type crash>
    > ></form>
    > ></html>
    > >---------------------------------
    > >This will crash IE with the following error:
    > >"Unhandled exception in iexplore.exe (SHLWAPI.DLL):
    > 0xC0000005: Access
    > >Violation" It's a null pointer overwrite, so it's not easly
    > >exploitable...
    >
    > >This HTML also crash Outlook, Frontpage, and all the
    > Microsoft programs
    > that >use the shlwapi.dll library to render web code.
    > >Plain HTML is a dangerous language :)
    >
    > Added :
    >
    > It also seems to crash explorer.exe when the .html file
    > containing the code is copied into any folder !! It may work
    > since windows is trying to create a view in Windows explorer.
    > Indeed, it doesn't work when the file is copied in the desktop.
    >
    > Tested on Windows XP with Office XP.
    >

            Not only on winXP; it has the same effect on win2000 server and
    advanced server; windows.NET advanced server & interprise server RC1;
    RC2 & the release version. With office XP or 2000 or without them.
    Of course you could delete the file through the command prompt. :D
            Another interesting thing; in win2000 and winXP, the browser (
    iexplore or explorer or ... ) hangs & shows the message that send this
    error to microsoft & restart the browser.
    In win.NET it crashes the browser & restarts it without any message.
    But.....
            After u log off & again log on; it now shows the messages to
    you; one by one.
    It shows the stability of .NET system that keeps the messages for u. :))


  • Next message: Lucas Holt: "Re: Windows Server 2003 Security Guide available"