Denial of Service in Microsoft Internet Explorer 6.0 SP1

Reported May 17, 2004, by MikeMauler

VERSIONS AFFECTED

DESCRIPTION
A vulnerability in IE 6.0 SP1 could result in a Denial of Service (DoS)condition. By using a malformed HTML page containing JavaScript code with aspecially crafted META tag, a potential attacker could cause IE to terminatewith an access violation.

DEMONSTRATION
The discoverer posted the following code as proof of concept:

The following script codewill cause Internet Explorer to crash when trying to parse the META tagcontained within. The problem stems from a bug in the MSHTML library(mshtml.dll). Below is the script code that causes the crash:


        Wnd = window.createPopup();
        Wnd.document.body.innerHTML='';


The effect of the META tag is to cause an access violation within mshtml.dll,however not exploitable. The problematic piece of code is shown below:

636D54AF    8B482C         MOV     ECX,[EAX+2C]
EAX = 0, Bad read of address 0x0000002C

VENDOR RESPONSE
Microsoft hasn'treleased a fix or bulletin that addresses this vulnerability.

CREDIT
Discovered by Mike Mauler.