COMMAND

	
		Outlook Express crash via html e-mail tags
	
	

SYSTEMS AFFECTED

	
		Outlook Express, any version between 5 and 6, with all patches applied
	
	

PROBLEM

	
		Stefano "Raistlin" Zanero [http://gioco.net/] says :
		

		--snipp--
		

		The problem shows up when decoding an HTML e-mail with  an  <A  HREF>
		link longer than 4095 characters.  Outlook  Express  crashes  altogether
		for overflow.
		

		--snipp--
		

		 Update (12 september 2002)

		 ======

		

		Berend-Jan Wever 'SkyLined' comments :
		

		Outlook Express (version 6.00.2600.0000) is vulnerable, the  bug  is  in
		mshtml.dll (version 6.0.2719.2200)
		

		This looks like a unicode off-by-one: The code puts a unicode  0  behind
		the href to terminate the string. The buffer  for  href  is  limited  to
		8192 bytes, 4096 unicode chars. This 0 is put behind the  last  char  to
		terminate causing a  word  after  the  buffer  to  be  overwritten  with
		0x0000. This word is part of a saved ebp. When  ebp  is  poped  off  the
		stack, the least significant two bytes have  been  overwritten  with  0,
		later on eax is set to "ebp-8" and this causes an exception:
		

		635ddb9f 8908             mov     [eax],ecx         ([0005fff8]=????????)

		

		The only thing you can accomplish with this  is  a  partially  overwrite
		ebp, it does not seem exploitable other then a DoS to me.
	
	

SOLUTION