Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1998

FW: MSIE buffer overrun

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: MSIE buffer overrun

To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: FW: MSIE buffer overrun
From: Russ <Russ.CooperRC.ON.CA>
Date: Fri, 20 Mar 1998 14:37:09 -0500
Comments: cc: "guninskiHOTMAIL.COM" <guninskiHOTMAIL.COM>
Reply-To: Russ <Russ.CooperRC.ON.CA>
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

Folks, I picked this one up from the Bugtraq mailing list.

IMPORTANT NOTE!!!

The original message contained some HTML which caused some mail readers
(those stupid HTML mail readers) to crash, since the code causes a
buffer overrun. I have modified the HTML to prevent it causing a mail
reader to crash, see below.

Georgi, if you read NTBugtraq, sorry to modify your message.

Cheers,
Russ - NTBugtraq moderator

-----Original Message-----
From: Georgi Guninski [mailto:guninskiHOTMAIL.COM]
Sent: Friday, March 20, 1998 5:10 AM
To: BUGTRAQNETSPACE.ORG
Subject: MSIE buffer overrun


Microsoft Internet Explorer 4.0 (don't know for other versions)
can be crashed and eventually made execute arbitrary code
with a little help of the <EMBED> tag.

The following:
<EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________>
opens a dialog box and closes IE 4.0.
It seems that the long file extension causes stack overrun.

The stack is smashed - full with our values, EIP is also ours and CS=SS.
So probably a string could be constructed, executing code at the
client's machine.

Solution: Do not browse hostile pages.
To try this: http://www.geocities.com/ResearchTriangle/1711/msie.html


Georgi Guninski
http://www.geocities.com/ResearchTriangle/1711

-----------------------cut here and save as
crashmsie.html---------------------
<This_was_an_HTML_tag>
Trying to crash IE 4.0
<This_was_EMBED
SRC=file://C|/A.01234567890123456789012345678901234567890123456789012345
678901234567890123456789012345678901234567890123456789012345678901234567
890123456789012345678901234567890123456789012345678901234567890123456789
0123456789012345678901234567890123456789>
                                                               40
80
160                    170                 180                 190
200
<This_was_an_/HTML_tag>

Prev by Date: Re: RAS 'save password' problems...
Next by Date: Re: MSIE buffer overrun
Prev by thread: Frontpage extensions CGI security!
Next by thread: Re: MSIE buffer overrun
Index(es):
- Date
- Thread