Outlook Express (version 6.00.2600.0000) is vulnerable, the bug is in mshtml.dll (version 6.0.2719.2200) This looks like a unicode off-by-one: The code puts a unicode 0 behind the href to terminate the string. The buffer for href is limited to 8192 bytes, 4096 unicode chars. This 0 is put behind the last char to terminate causing a word after the buffer to be overwritten with 0x0000. This word is part of a saved ebp. When ebp is poped off the stack, the least significant two bytes have been overwritten with 0, later on eax is set to "ebp-8" and this causes an exception: 635ddb9f 8908 mov [eax],ecx ([0005fff8]=????????) The only thing you can accomplish with this is a partially overwrite ebp, it does not seem exploitable other then a DoS to me. SkyLined ----- Original Message ----- From: Kilian CAVALOTTI To: Raistlin ; BugTraq Sent: Tuesday, September 10, 2002 6:19 Subject: Re: Small bug crashes OE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Raistlin wrote: > It's not difficult to exploit this vuln. Please find enclosed a > simple e-mail which should crash the mailer. Let me know if this does > not happen on international versions, or with strange patches > applied. Hi ! It does not affect my system (Windows XP SP1 build 2600.xpsp1.020828-1920 - IE6 SP1 6.0.2600.1106.xpsp1.020828-1920). I can simply open the example message you provide, edit its source, preview it, and send it, with no problem at all : no freeze, no hang up, no slow down, no crash. Seems to be more a OS related problem, than a browser one. HTH, - -- Kilian CAVALOTTI | GPGKeyId: 0xD657340C BOFH excuse #165: Backbone Scoliosis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.1.91 (MingW32) - GPGrelay v0.893 iD8DBQE9fXLR9H8pBNZXNAwRAssyAJ9zwXFDgvdg5G2mqXp5BD4Sx2ZmjwCfSs70 Kj8sQor6i+MUZBmp5pdM1vU= =hIsR -----END PGP SIGNATURE-----
