Microsoft(R) Internet Explorer 5 and 6 suffer from a remote denial of service flaw using IMG and XML elements. Proof of concept code included.
3dca4c4cb9b808ced948bbb4b399c728f0dc2c96e5fc2e9c346f368f6960df83
Advisory Name
Microsoft(R) Internet Explorer 5 & 6 Remote Denial of Service (DoS) using IMG & XML elements
Release Date
14. January 2006
Vulnerable Product
Microsoft(R) Internet Explorer 5
Microsoft(R) Internet Explorer 6
Tested and Confirmed Vulerable
Microsoft® Windows® XP Professional with Service Pack 2 and IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
Microsoft® Windows® Server 2003 with IE 6.0.2790.0
Microsoft® Windows® 2000 Advanced Server 5.00.2195 with Service Pack 4 and IE 5.00.3700.1000
Other combinations are likely to be vulnerable, so far all systems that I have tested had the bug.
Severity
Medium
Discovered by
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/
Vendor Status
Notified 30. December 2005, no fix at present.
Arbitrary Code Injection
This is a null pointer dereference, thanks to H D Moore from Metasploit for help on this issue.
Overview
I have found that Microsoft(R) Internet Explorer 5 and Microsoft(R) Internet Explorer 6 are vulnerable to a Denial of Service. So far all combinations of OS's and IE versions I have tested are vulnerable. The exploit is triggered by bad HTML data combined with a bad XML block, this html code can by hidden inside a webpage etc.
Proof of Concept
Any HTML page that contain the following HTML code will cause the DoS:
<table><tr><td><IMG align=left>X X X<?xml:namespace prefix=v ><v:X style="HEIGHT:1"></td></tr></table>