Technical details: IE tries to compare the type of the input field to "HIDDEN", to see if it should be rendered. When there is no type string, a null-pointer is used. mshtml.dll calls shlwapi.dll#158 @ 0x636f0037 with a pointer to a static unicode string "HIDDEN" and a null-pointer. shlwapi.dll#158 does a case-insensitive comparison of two unicode strings: it reads from address 0x0 because of the null-pointer and thus causes an exception. This is not exploitable, other then a DoS because there is no memory mapped @ 0x0 and even if you could load something there, you could only compare it to "HIDDEN" which gets you nowhere. Berend-Jan Wever ----- Original Message ----- From: "Gervaize Maquard" <freestyler@tiscali.fr> To: <bugtraq@securityfocus.com> Sent: Tuesday, April 22, 2003 22:29 Subject: RE : IE / Outlook / MS SHLWAPI Render - more trivial crash > Original message : > > >Hola: > >Well, as it seems that is the Microsoft Crash mounth, let see another > one: > >--------------------------------- > ><html> > ><form> > ><input type crash> > ></form> > ></html> > >--------------------------------- > >This will crash IE with the following error: > >"Unhandled exception in iexplore.exe (SHLWAPI.DLL): 0xC0000005: Access > >Violation" > >It's a null pointer overwrite, so it's not easly exploitable... > > >This HTML also crash Outlook, Frontpage, and all the Microsoft programs > that >use the shlwapi.dll library to render web code. > >Plain HTML is a dangerous language :) > > Added : > > It also seems to crash explorer.exe when the .html file containing the > code is copied into any folder !! > It may work since windows is trying to create a view in Windows > explorer. Indeed, it doesn't work when the file is copied in the > desktop. > > Tested on Windows XP with Office XP. >
