On 10 Mar 2003, Tom Tanaka wrote:

> CANON SYSTEM SOLUTIONS INC. Security Alert
>
> VULNERABILITY:.MHT Buffer Overflow in Internet Explorer
>
> DATE FOUND:March 2, 2003
>
> Severity:High Risk(code can be executed remotely)

[snip]

> The following error will occur when the above file is browsed by IE5.
>
> Unhandled exception in iexplore.exe: 0xC0000005: Access Violation.
>
>
>
> By debugging through the crash dump, the exception error is generated at
> the EIP(32-bit Instruction Pointer)=74CF497E called from inetcomm.dll to
> Kernel32.
>
> Register
> EAX = 00000000 EBX = 05AD3A20 ECX = 001FE074 EDX = 001FE190
> ESI = 05AD39D8 EDI = 00000000 [EIP = 74CF497E] ESP = 0607B2BC
> EBP = 0607B2FC EFL = 00000246

[snip]

> 74cf497b 8b461c mov eax,dword ptr [esi+1c]
> 74cf497e 8b08 mov ecx,dword ptr [eax] //Exception

At first glance, doesn't this look like a null pointer reference bug
rather than a buffer overflow? The message didn't (clearly) specify which
four bytes of memory the attacker could overwrite and how it would be
possible to gain control of the program flow. Since you have classified
this as critical, perhaps you could clarify these points? Does there
exist a working exploit which does something else than crash IE? Thanks,

--
Jouko Pynnonen Online Solutions Ltd Secure your Linux -
jouko (at) solutions (dot) fi [email concealed] http://www.secmod.com

[ reply ]