|
Brought to you by:
Suppliers of:
|
|
|
| |
| Internet Explorer allows the usage of XBM graphic files and tries to display them whenever they are used in any HTML file [as IMG tag] or when attached to an e-mail. A vulnerability in the way Internet Explorer handles malformed XBM files has been found, the vulnerability would allow a malicious user to cause the IE to crash whilst consuming a large amount of CPU and memory (which is not freed upon the completion of the crash). |
| |
Credit:
The information has been provided by Adam [wp-ckkl].
|
| |
Vulnerable systems:
* Internet Explorer 5.5
* Internet Explorer 6.0
* Outlook Express 5.0
* Outlook Express 6.0
XBM structure is very easy it is a text file with C-like syntax and for example looks like
#define picture_width ?? // picture width
#define picture_height ?? // picture width height
static unsigned char picture_bits[] = { //hex picture data );
IE doesn't check properly the content of XBM files and you may force the browser/e-mail client to hang up that will end up in their silent exit because of the Access Violation exception [as shown with a great help of windbg, it is generated inside mshtml.dll].
IE does not check the width and height of the image, so you may write whatever you want and IE will try to interpret it, trying to allocate enough memory for an oversized buffer.
When previewed for example in Outlook Express, malformed e-mail may force this client to exit (and others that rely on IE).
Demonstration:
For an example of such malformed e-mail, download one from here:
http://www.sztolnia.pl/hack/xbmbug/xbmbug.eml
|
|
|
|
|
