A new proof of concept was released that details how to crash IE 5 with a simple bitmap image. It's unclear as to the severity of the flaw which involes using a signed integer for an offset. See read more for original post.
From gta@hush.com:
I downloaded the Microsoft source code. Easy enough. It's a lot
bigger than Linux, but there were a lot of people mirroring it and so
it didn't take long.
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS.
For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx:
// Before we read the bits, seek to the correct location in the file
while (_bmfh.bfOffBits > (unsigned)cbRead)
{
BYTE abDummy[1024];
int cbSkip;
cbSkip = _bmfh.bfOffBits - cbRead;
if (cbSkip > 1024)
cbSkip = 1024;
if (!Read(abDummy, cbSkip))
goto Cleanup;
cbRead += cbSkip;
}
.. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an
offset. Now all we have to do is create a BMP with bfOffBits > 231,
and we're in. cbSkip goes negative and the Read call clobbers the
stack with our data.
See attached for proof of concept. index.html has [img src=1.bmp]
where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
Bring it up in IE5 (tested successfully on Win98) and get
EIP=0x44332211.
IE6 is not vulnerable, so I guess I'll get back to work. My Warhol
worm will have to wait a bit...
.gta
PROPS TO the Fort and HAVE IT BE YOU.
Comments (0)
Topsight.net
http://www.topsight.net/article.php/20040216200924618