#########################################
Application:    Internet Explorer
Vendors:        http://www.microsoft.com
Version:         6.0.2800
Platforms:       Windows
Bug:               IE and MSN Messenger
                      Memory_Access_Violation
Risk:              Critical
Exploitation:   Remote with browser
Date:             07 May 2004
Author:          Emmanouel Kellinis
e-mail:           me@cipher(dot)org(dot)uk
web:              http://www.cipher.org.uk
List :              BugTraq(SecurityFocus)
#########################################


=======
Product
=======
A popular Web browser, created by Microsoft,
used to view pages on the World Wide Web.

===
Bug
===

Using onLoad and window.location method we can direct
internet explorer to open a specific connection,file
or webpage during the loading of lets say the < Body> of our html
code.
*(onLoad can be applied to almost any tag).

if we want to redirect the page to a file localy to the user/visitor
we use the file://c:\filename . Now , Instead of using a valid
drive name  we pass arbitary drive name using hexadecimal values.

e.g. \xff:\filename or we can pass instead of a filename hex values as well.

This abnormality overwrites 3 registers ECX EDX EDI . When we use
the  abnormal drive name we control the first 16bits of EDX and EDI.

When the webpage with the malicious code loads, the three registers
are overwritten and the impact of that is to corrupt the registry
with IE  Entries.

The assocation of html/htm pages with internet explorer do not work
and every shortcut of IE is not loading. Instead there is an error
popup saying: You cant access this file,path,drive. Permission
Denied. Noted that you dont have access to the temp directory as well.

MSN Messenger is effected by the Memory Access Violation and it is
crashing immediatelly after you login (sometimes the problem is fixed
after restarting).


Because of the nature of onload inside html tags there is a
possibility that firewalls wont detect it as Javascript and they will
let it load. (Mine didn't)

=====================
Proof Of Concept Code
=====================
Can be constructed out of the previous statements
Proof of concept Posted to vendor.





=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================