MSIE buffer overrun

Georgi Guninski (guninski@hotmail.com)
Fri, 20 Mar 1998 12:09:46 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter van Dijk: "bug in su (Slackware 3.4)"
Previous message: Magosanyi Arpad: "Lotus Notes security hole"
Next in thread: Christian Holmqvist: "Re: MSIE buffer overrun"

Microsoft Internet Explorer 4.0 (don't know for other versions)
can be crashed and eventually made execute arbitrary code
with a little help of the <EMBED> tag.

The following:
<EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________>
opens a dialog box and closes IE 4.0.
It seems that the long file extension causes stack overrun.

The stack is smashed - full with our values, EIP is also ours and CS=SS.
So probably a string could be constructed, executing code at the
client's machine.

Solution: Do not browse hostile pages.
To try this: http://www.geocities.com/ResearchTriangle/1711/msie.html

Georgi Guninski
http://www.geocities.com/ResearchTriangle/1711

-----------------------cut here and save as
crashmsie.html---------------------
Trying to crash IE 4.0 40 80 160 170 180 190 200

Next message: Peter van Dijk: "bug in su (Slackware 3.4)"
Previous message: Magosanyi Arpad: "Lotus Notes security hole"
Next in thread: Christian Holmqvist: "Re: MSIE buffer overrun"