Reported May 17, 2004, by Mike
Mauler
VERSIONS AFFECTED
- Microsoft Internet
Explorer (IE) 6.0 Service Pack 1 (SP1)
|
DESCRIPTION
A vulnerability in IE 6.0 SP1 could result in a Denial of Service (DoS)
condition. By using a malformed HTML page containing JavaScript code with a
specially crafted META tag, a potential attacker could cause IE to terminate
with an access violation.
DEMONSTRATION
The discoverer posted the following code as proof of concept:
The following script code
will cause Internet Explorer to crash when trying to parse the META tag
contained within. The problem stems from a bug in the MSHTML library
(mshtml.dll). Below is the script code that causes the crash:
<scr!pt type="text/javascript">
Wnd = window.createPopup();
Wnd.document.body.innerHTML='<meta
http-equiv="imagetoolbar" content="no">';
</scr!pt>
The effect of the META tag is to cause an access violation within mshtml.dll,
however not exploitable. The problematic piece of code is shown below:
636D54AF 8B48
2C MOV ECX,
[EAX+2C]
EAX = 0, Bad read of address 0x0000002C
VENDOR RESPONSE
Microsoft hasn't
released a fix or bulletin that addresses this vulnerability.
CREDIT
Discovered by Mike Mauler.
End of Article
Register
Meta tags aren't valid in the body, only in the head. The browser imputes the html and body elements in an empty document but it's under no onus to impute a head element.
So it choked on bad code? If someone codes a page this way, it's Microsoft's fault that the client's browser crashes? At absolute worst this represents a missed opportunity for judicious null-checking. This does not belong in a security bulliten.
Could it be that someone has way too much time on his hands?
-Mark
Mark McGinty May 25, 2004