COMMAND

	IE remote buffer overflow via XBM graphics

SYSTEMS AFFECTED

	IE 6.0

PROBLEM

	Adam Baszczyk [http://www.mykakee.com] [http://www.sztolnia.pl] says :
	

	Internet Explorer [only 6.0] allows the usage of XBM graphic  files  and
	tries to display them whenever they\'re used in any HTML  file  [as  IMG
	tag] or when attached to an e-mail.
	

	XBM structure is very easy it is a text  file  with  C-like  syntax  and
	f.ex. looks like
	

	#define picture_width ?? // picture width

	#define picture_height ?? // picture width height

	static unsigned char picture_bits[] = { //hex picture data

	  );

	

	IE doesn\'t check properly the content of XBM files and  you  may  force
	the browser/e-mail client to hang up that will end up  in  their  silent
	exit because of the Access Violation exception [as shown  with  a  great
	help of windbg, it is generated inside mshtml.dll].
	

	IE doesn\'t check the width and height of the image, so  you  may  write
	whatever you want and IE will try to interprete it, trying  to  allocate
	enough memory for an oversized buffer.
	

	When previewed f.ex. in Outlook  Express,  malformed  e-mail  may  force
	this client to exit (and others that rely on IE).
	

	For an example of such malformed e-mail download one  from  my  homepage
	and try to open by clicking it in Windows Explorer.
	

	http://www.sztolnia.pl/hack/xbmbug/xbmbug.eml

	

	Don\'t forget to run OE first :)

SOLUTION

	??