---------------------------------------------------------------------------------------------------------------------------------------
Advisory
I discovered a flaw in IE a while ago that can kill IE and can halt the entier system under windows 9x. It didn't seem like a big deal to me at the time, but seeing the fuzz about Matthew Murphy's discovery of a similar IE DoS (see bugtraq post at the bottom of this message) I hereby republish it and inform the vendor, Microsoft, about the problem.

Kind regards,

Berend-Jan Wever

---------------------------------------------------------------------------------------------------------------------------------------
Affected software versions
Every versionof IE (up to 6.0 fully patched) seems to be affected. The stability of Windows 9x can be affected by crashing IE.

---------------------------------------------------------------------------------------------------------------------------------------
Explanation of the flaw
Exploitation causes a stack overflow. This will probably be exploitable but I am not familiar with stack overflow exploitation so I will leave that to the real h4x0rs.

Basic example of the flaw:
<IMG src="::" onError="this.src='::';">
What this does:
1) It creates an image with an invalid src
2) IE tries to show the picture but can't: it fires the onError-event
3) The onError-event resets the src attribute to the same invalid src.
4) goto 2

As you can see, it's based on an infinite loop: The onError event causes itself. Every time the onError event fires another return addresses is pushed on the stack until it's filled up and overflows.
Various variants of this error cause various overflows in various DLL's.
IE 6.0 seems to be better protected against fatal crashes than IE 5.0 and windows 2000 seems te be unaffected while some variants will cause overflow in kernel32.dll and halt win9x.
IE 6.0 will report the overflow with a popup message and continue to function most of the time but some variants will terminate all open IE windows without notification.

---------------------------------------------------------------------------------------------------------------------------------------
More details
More details about various variants of this flaw can be found on my website. As you can imagine there are a lot of possibilities to create infinite loops.
http://spoor12.edup.tudelft.nl

---------------------------------------------------------------------------------------------------------------------------------------
Vendor status
Microsoft is hereby informed of the problem. As far as I know, Infinite loops have been known to be a problem for some time now, that's why IE 6.0 is more stable (but not stable enough.)

---------------------------------------------------------------------------------------------------------------------------------------
Origional message to bugtraq by Matthew Murphy
The Flaw

    OBJECT elements are used for embedded OLE in HTML documents. A flaw in
the way Microsoft Internet Explorer processes this directive allows a page
that causes a loop in object dependancy, or loads itself in a certain manner
in an OBJECT, to completely crash Internet Explorer.

The Exploit

    To date, I have discovered 4 points of exploitation to crash the
browser. My favorite example is this one:

---- [ CRASH.HTM ] ----
<OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT>
---- [ CRASH.HTM ] ----

IE dies inside shdocvw.dll with a call stack overflow.

Fixes

    Set "Run ActiveX Controls and Plugins" to disabled in ALL zones. An XML
Island DSO may even be able to get past this, however. I would expect this
bug to fixed in a future IE service pack, though there's been no
confirmation/details of that from Microsoft.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]