Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Microsoft Internet Explorer Browser Can Be Crashed By Remote HTML Containing Malicious Image Tags That Cause Infinite Processing Loops
|
Date: Apr 25 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): 6 and prior versions
|
Description: A denial of service vulnerability was reported in Microsoft's Internet Explorer (IE) web browser. A remote user can create HTML that, when loaded, will cause IE to crash. On Windows 9x, this can affect system stability.
A stack overflow vulnerability was reported in IE. A remote user can create HTML that contains a specially crafted image tag so
that, when the HTML is loaded by the target user, the target user's browser will crash.
The following type of tag will reportedly
trigger this flaw:
<IMG src="::" onError="this.src='::';">
This tag will apparently cause IE to unsuccessfully attempt to
display the image, resulting in the 'onError-event', which in turn resets the image source attribute to the same invalid src. This
results in an infinite processing loop. According to the report, each time the onError event occurs, another return addresses is
pushed on the stack until the stack is full and then overflows.
It is reported that not all versions of IE and Windows operating
systems are affected in the same manner, and some combinations may not be affected at all.
|
Impact: A remote user can create HTML code that, when loaded on a user's browser, will cause the user's browser to crash. On Windows 9x platforms, the operating system may become unstable.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Boundary error, Exception handling error, State error
|
Underlying OS: Windows (Any)
|
Reported By: Berend-Jan Wever <skylined@edup.tudelft.nl>
|
Message History:
None.
|
Source Message Contents
|
Date: 24 Apr 2002 14:54:49 -0000
From: Berend-Jan Wever <skylined@edup.tudelft.nl>
Subject: IE DoS and possibly exploitable stack overflow
|
------------------------------------------------------------
------------------------------------------------------------
---------------
Advisory
I discovered a flaw in IE a while ago that can kill IE and
can halt the entier system under windows 9x. It didn't seem
like a big deal to me at the time, but seeing the fuzz
about Matthew Murphy's discovery of a similar IE DoS (see
bugtraq post at the bottom of this message) I hereby
republish it and inform the vendor, Microsoft, about the
problem.
Kind regards,
Berend-Jan Wever
------------------------------------------------------------
------------------------------------------------------------
---------------
Affected software versions
Every versionof IE (up to 6.0 fully patched) seems to be
affected. The stability of Windows 9x can be affected by
crashing IE.
------------------------------------------------------------
------------------------------------------------------------
---------------
Explanation of the flaw
Exploitation causes a stack overflow. This will probably be
exploitable but I am not familiar with stack overflow
exploitation so I will leave that to the real h4x0rs.
Basic example of the flaw:
<IMG src="::" onError="this.src='::';">
What this does:
1) It creates an image with an invalid src
2) IE tries to show the picture but can't: it fires the
onError-event
3) The onError-event resets the src attribute to the same
invalid src.
4) goto 2
As you can see, it's based on an infinite loop: The onError
event causes itself. Every time the onError event fires
another return addresses is pushed on the stack until it's
filled up and overflows.
Various variants of this error cause various overflows in
various DLL's.
IE 6.0 seems to be better protected against fatal crashes
than IE 5.0 and windows 2000 seems te be unaffected while
some variants will cause overflow in kernel32.dll and halt
win9x.
IE 6.0 will report the overflow with a popup message and
continue to function most of the time but some variants
will terminate all open IE windows without notification.
------------------------------------------------------------
------------------------------------------------------------
---------------
More details
More details about various variants of this flaw can be
found on my website. As you can imagine there are a lot of
possibilities to create infinite loops.
http://spoor12.edup.tudelft.nl
------------------------------------------------------------
------------------------------------------------------------
---------------
Vendor status
Microsoft is hereby informed of the problem. As far as I
know, Infinite loops have been known to be a problem for
some time now, that's why IE 6.0 is more stable (but not
stable enough.)
------------------------------------------------------------
------------------------------------------------------------
---------------
Origional message to bugtraq by Matthew Murphy
The Flaw
OBJECT elements are used for embedded OLE in HTML
documents. A flaw in
the way Microsoft Internet Explorer processes this
directive allows a page
that causes a loop in object dependancy, or loads itself in
a certain manner
in an OBJECT, to completely crash Internet Explorer.
The Exploit
To date, I have discovered 4 points of exploitation to
crash the
browser. My favorite example is this one:
---- [ CRASH.HTM ] ----
<OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT>
---- [ CRASH.HTM ] ----
IE dies inside shdocvw.dll with a call stack overflow.
Fixes
Set "Run ActiveX Controls and Plugins" to disabled in
ALL zones. An XML
Island DSO may even be able to get past this, however. I
would expect this
bug to fixed in a future IE service pack, though there's
been no
confirmation/details of that from Microsoft.
|
|
Go to the Top of This SecurityTracker Archive Page
|
