TUCoPS :: Browsers :: expl5678.htm

Outlook crash via html email tags
10th Sep 2002 [SBWID-5678]

		Outlook Express crash via html e-mail tags


		Outlook Express, any version between 5 and 6, with all patches applied


		Stefano "Raistlin" Zanero [http://gioco.net/] says :


		The problem shows up when decoding an HTML e-mail with  an  <A  HREF>
		link longer than 4095 characters.  Outlook  Express  crashes  altogether
		for overflow.


		 Update (12 september 2002)



		Berend-Jan Wever 'SkyLined' comments :

		Outlook Express (version 6.00.2600.0000) is vulnerable, the  bug  is  in
		mshtml.dll (version 6.0.2719.2200)

		This looks like a unicode off-by-one: The code puts a unicode  0  behind
		the href to terminate the string. The buffer  for  href  is  limited  to
		8192 bytes, 4096 unicode chars. This 0 is put behind the  last  char  to
		terminate causing a  word  after  the  buffer  to  be  overwritten  with
		0x0000. This word is part of a saved ebp. When  ebp  is  poped  off  the
		stack, the least significant two bytes have  been  overwritten  with  0,
		later on eax is set to "ebp-8" and this causes an exception:

		635ddb9f 8908             mov     [eax],ecx         ([0005fff8]=????????)


		The only thing you can accomplish with this  is  a  partially  overwrite
		ebp, it does not seem exploitable other then a DoS to me.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH