HTML Exploit for Windows

I havent seen any talk about this particular exploit, but it concerns me more so that someone who posts it in a forum or creates an Ebay auction can crash Windows with little effort.

Create an HTML page with the following code:

IMG src="http://stb.msn.com/i/D2/D28DB9CFDCCEE8A44CE0A8118D75BFA1.jpg" height="9999999" width="9999999

Add brackets of course to the line above.

Save the HTML and run it. It will crash Windows and is not browser dependent. It crashed both IE and FF.

Anyone know of a patch for this?

I havent seen any talk about this particular exploit, but it concerns me more so that someone who posts it in a forum or creates an Ebay auction can crash Windows with little effort.

Create an HTML page with the following code:

IMG src="http://stb.msn.com/i/D2/D28DB9CFDCCEE8A44CE0A8118D75BFA1.jpg" height="9999999" width="9999999

Add brackets of course to the line above.

Save the HTML and run it. It will crash Windows and is not browser dependent. It crashed both IE and FF.

Anyone know of a patch for this?

It would help if you had a reference to the vulnerability that this is supposed to exploit. For all we know, you don't have a WinXP that is up to date or is missing a specific patch. I seem to remember a recent IE vulnerability that was addressed about a month ago that may have addressed that particular issue.

You might also provide a bit of background on the exploit information so we can verify it.

It would help if you had a reference to the vulnerability that this is supposed to exploit. For all we know, you don't have a WinXP that is up to date or is missing a specific patch. I seem to remember a recent IE vulnerability that was addressed about a month ago that may have addressed that particular issue.

You might also provide a bit of background on the exploit information so we can verify it.

Hey Hey,

Well I just put this into a page (http://www.aoaddicts.net/htregz/crash.html)... and then I loaded a VPC image... It's XP updated with everything except for this past Tuesdays patches....

It definately didn't crash my image.. just created a giant white square (where an image should appear)..

Peace,
HT

Hey Hey,

Well I just put this into a page (http://www.aoaddicts.net/htregz/crash.html)... and then I loaded a VPC image... It's XP updated with everything except for this past Tuesdays patches....

It definately didn't crash my image.. just created a giant white square (where an image should appear)..

Peace,
HT

Argh....sorry about that..its what happens when I post while at work :)
Any who, I am running this on a fully patched XPSP2 Pro machine (not a Vpc or VM).
I havent seen any other information regarding this exploit...Also, it probably should be called an "exploit" persay, but more a bug/defect in the way XP handles it.

Argh....sorry about that..its what happens when I post while at work :)
Any who, I am running this on a fully patched XPSP2 Pro machine (not a Vpc or VM).
I havent seen any other information regarding this exploit...Also, it probably should be called an "exploit" persay, but more a bug/defect in the way XP handles it.

Wildred: Where was that exploit published? How recently?

Thanks,
-Deeboe

Wildred: Where was that exploit published? How recently?

Thanks,
-Deeboe

Hey Hey,

I'd have to again say it's nothing...

I just ran it on my machine... fully patched... still nothing... yeah it locks up a bit trying to render the image at that size.. but that's it... the occasional freeze... nothing else..


The browser was locked while trying to display the image.. it is rather large.... It's just running "too" much on your computer at once.. eventually I got tired of waiting, and end tasked IE...

I suppose you could call it a browser DoS but given enough time it'd free itself up again.... it's just a matter of waiting.

Peace,
HT

Hey Hey,

I'd have to again say it's nothing...

I just ran it on my machine... fully patched... still nothing... yeah it locks up a bit trying to render the image at that size.. but that's it... the occasional freeze... nothing else..


The browser was locked while trying to display the image.. it is rather large.... It's just running "too" much on your computer at once.. eventually I got tired of waiting, and end tasked IE...

I suppose you could call it a browser DoS but given enough time it'd free itself up again.... it's just a matter of waiting.

Peace,
HT

Doesn't crash Konqueror (Slackware GNU/Linux)
Gives a nice huge pixelated image..

Doesn't crash Firefox 1.5 (Slackware GNU/Linux)
Just a huge big white page..

Couldn't test on Windows today... sorry..

Doesn't crash Konqueror (Slackware GNU/Linux)
Gives a nice huge pixelated image..

Doesn't crash Firefox 1.5 (Slackware GNU/Linux)
Just a huge big white page..

Couldn't test on Windows today... sorry..

http://www.haloscan.com/comments/ale...4060575607610/ was where the issue was first seen by me :)

http://www.haloscan.com/comments/ale...4060575607610/ was where the issue was first seen by me :)

I would bet this has more to do with the system specific memory, video card/memory and other issues, not MS Windows XP, IE's, or FireFox's specific ability to render the .jpg.

Based on the comments on the link and here, it behaves different for different systems. So, I suspect this is more a hardware weakness, an available memory issue, or some compatibility with other installed software.

Since the issue isn't coming from a testing center or lab, where a controlled analysis is done, it could be anything.

As HT sez, it is nothing.

I would bet this has more to do with the system specific memory, video card/memory and other issues, not MS Windows XP, IE's, or FireFox's specific ability to render the .jpg.

Based on the comments on the link and here, it behaves different for different systems. So, I suspect this is more a hardware weakness, an available memory issue, or some compatibility with other installed software.

Since the issue isn't coming from a testing center or lab, where a controlled analysis is done, it could be anything.

As HT sez, it is nothing.

Hey Hey,

So I was looking at the link wildred posted and I was wondering why I knew the name Alex Eckelberry... and then I saw the top of the page (SunbeltBlog)... So I hit sunbeltblog.blogspot.com and checked it out... there's this post about halfway down the page

Quote:

---

Monday, January 09, 2006
Another WMF vulnerability
SecurityFocus has published an advisory on yet another WMF vulnerability.

We have seen no exploits in the wild on this one. We hope not to before Microsoft patches it.

Microsoft Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities. These issues affect the 'ExtCreateRegion' and 'ExtEscape' functions.

These problems present themselves when a user views a malicious WMF formatted file containing specially crafted data.

Reports indicate that these issues lead to a denial of service condition, however, it is conjectured that arbitrary code execution is possible as well. Any code execution that occurs will be with the privileges of the user viewing a malicious image. An attacker may gain SYSTEM privileges if an administrator views the malicious file.


Link here.

Update: This vulnerability is more related to triggering a denial of service attack on a vulnerable system. The exploit code we have observed does not prove that code could be run on a machine (unlike the last WMF exploit), but this type of danger is always an issue with buffer overflows. We will keep this blog updated with the latest relevant news.



Alex Eckelberry
(Thanks Adam)

---

The posts that wildred is showing are the comments that were left...

Alex's source was http://www.securityfocus.com/bid/16167/discuss

Quote:

---

Microsoft Windows Graphics Rendering Engine Multiple Memory Corruption Vulnerabilities

Microsoft Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities. These issues affect the 'ExtCreateRegion' and 'ExtEscape' functions.

These problems present themselves when a user views a malicious WMF formatted file containing specially crafted data.

Reports indicate that these issues lead to a denial of service condition. Earlier conjectures that the issues may result in the execution of arbitrary code appear at this point to be incorrect. Attackers could force a crash or restart of the viewing application.

---

The person who posted that message obviously had shitty hardware... it locked up their machine so they just killed it and decided it was a Microsoft problem.... It's completely unreleated to Alex's topic...

So in other words it's nothing reported by a nobody..

Peace,
HT

Hey Hey,

So I was looking at the link wildred posted and I was wondering why I knew the name Alex Eckelberry... and then I saw the top of the page (SunbeltBlog)... So I hit sunbeltblog.blogspot.com and checked it out... there's this post about halfway down the page

Quote:

---

Monday, January 09, 2006
Another WMF vulnerability
SecurityFocus has published an advisory on yet another WMF vulnerability.

We have seen no exploits in the wild on this one. We hope not to before Microsoft patches it.

Microsoft Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities. These issues affect the 'ExtCreateRegion' and 'ExtEscape' functions.

These problems present themselves when a user views a malicious WMF formatted file containing specially crafted data.

Reports indicate that these issues lead to a denial of service condition, however, it is conjectured that arbitrary code execution is possible as well. Any code execution that occurs will be with the privileges of the user viewing a malicious image. An attacker may gain SYSTEM privileges if an administrator views the malicious file.


Link here.

Update: This vulnerability is more related to triggering a denial of service attack on a vulnerable system. The exploit code we have observed does not prove that code could be run on a machine (unlike the last WMF exploit), but this type of danger is always an issue with buffer overflows. We will keep this blog updated with the latest relevant news.



Alex Eckelberry
(Thanks Adam)

---

The posts that wildred is showing are the comments that were left...

Alex's source was http://www.securityfocus.com/bid/16167/discuss

Quote:

---

Microsoft Windows Graphics Rendering Engine Multiple Memory Corruption Vulnerabilities

Microsoft Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities. These issues affect the 'ExtCreateRegion' and 'ExtEscape' functions.

These problems present themselves when a user views a malicious WMF formatted file containing specially crafted data.

Reports indicate that these issues lead to a denial of service condition. Earlier conjectures that the issues may result in the execution of arbitrary code appear at this point to be incorrect. Attackers could force a crash or restart of the viewing application.

---

The person who posted that message obviously had shitty hardware... it locked up their machine so they just killed it and decided it was a Microsoft problem.... It's completely unreleated to Alex's topic...

So in other words it's nothing reported by a nobody..

Peace,
HT

Am I having dejavu or wasn't this exact thing discussed many months ago?

EDIT: Ok, not crazy, but the topic wasn't in a public forum, but it is exactly the same thing (Web Browser Bug - Potential Exploit from 6-1-2005).

Am I having dejavu or wasn't this exact thing discussed many months ago?

EDIT: Ok, not crazy, but the topic wasn't in a public forum, but it is exactly the same thing (Web Browser Bug - Potential Exploit from 6-1-2005).

OK, so I have to hide my head in shame...just tested this on a p4 3.4ghz box (instead of a 667) and found that while it does cause the computer to be slightly sluggish, it does NOT crash the machine like my 667 did. Its Friday, right?

OK, so I have to hide my head in shame...just tested this on a p4 3.4ghz box (instead of a 667) and found that while it does cause the computer to be slightly sluggish, it does NOT crash the machine like my 667 did. Its Friday, right?

I didn't work on my PC either (Win XP Pro SP2 Fully Patched)

Here are two links I found about it:
http://seclists.org/lists/bugtraq/2005/Apr/0340.html
http://networksecurityarchive.org/ht.../msg00348.html

I should read the links better before posting them :) they are the same post, on diff sites :rolleyes:

I just googled height="9999999" width="9999999" and got some results

I didn't work on my PC either (Win XP Pro SP2 Fully Patched)

Here are two links I found about it:
http://seclists.org/lists/bugtraq/2005/Apr/0340.html
http://networksecurityarchive.org/ht.../msg00348.html

I should read the links better before posting them :) they are the same post, on diff sites :rolleyes:

I just googled height="9999999" width="9999999" and got some results

I actually managed to crash one of my machines ...

OS : Windows XP Home Edition [fully patched]
Browser : Internet Explorer 6 [fully patched]

I actually managed to crash one of my machines ...

OS : Windows XP Home Edition [fully patched]
Browser : Internet Explorer 6 [fully patched]

Then you must have some really cheezy hardware, Agent_Steal!

;)

Just kidding!

Then you must have some really cheezy hardware, Agent_Steal!

;)

Just kidding!

Quote:

---

Then you must have some really cheezy hardware, Agent_Steal!

---

:-) I concur rapier57 :D ... Actually when it happened I was running the following programs :

[1] FireFox
[2] Internet Explorer
[3] ITunes
[4] some other programs in the background ...

Anyways this machine has nothing important on it so if I loose anything oh well ... :rolleyes:

Quote:

---

Then you must have some really cheezy hardware, Agent_Steal!

---

:-) I concur rapier57 :D ... Actually when it happened I was running the following programs :

[1] FireFox
[2] Internet Explorer
[3] ITunes
[4] some other programs in the background ...

Anyways this machine has nothing important on it so if I loose anything oh well ... :rolleyes:

I tried this on one of the PCs where I work... it locked it up completely, then rebooted itself. It is a fully patched XPSP2 machine... It IS an older pavilion though...

I tried this on one of the PCs where I work... it locked it up completely, then rebooted itself. It is a fully patched XPSP2 machine... It IS an older pavilion though...

hmm interesting:

Crashed one of my machines WinXP Pro fuly patched updated with all the bells and whistles..

The fact that it is Cel 333 with 64MB of RAM and a 8Mb PCI video card and only 500MB of free HDD space shouldnt have anything to do with it!..should it?

Guys that is a large image.. 9999999 x 9999999 .. come on how many pixels will that be? The image it self may only be a few k in size but the browser will try to render/draw it to a10M x 10M image in your display.. ..

so how much of my display or system memory will my browser want to allocate before trying to render/draw that picture,, and will my box with its poxy 333 and 64MB of system ram be up to the chase..

And even if the image was laced with crap code (aka WMF exploite) the code would have died in the roadblock caused by the huge draw operation..

HAs anyone actually allowed the WHOLE image to download? ( I estimate some 90Tpixels in area)

hmm interesting:

Crashed one of my machines WinXP Pro fuly patched updated with all the bells and whistles..

The fact that it is Cel 333 with 64MB of RAM and a 8Mb PCI video card and only 500MB of free HDD space shouldnt have anything to do with it!..should it?

Guys that is a large image.. 9999999 x 9999999 .. come on how many pixels will that be? The image it self may only be a few k in size but the browser will try to render/draw it to a10M x 10M image in your display.. ..

so how much of my display or system memory will my browser want to allocate before trying to render/draw that picture,, and will my box with its poxy 333 and 64MB of system ram be up to the chase..

And even if the image was laced with crap code (aka WMF exploite) the code would have died in the roadblock caused by the huge draw operation..

HAs anyone actually allowed the WHOLE image to download? ( I estimate some 90Tpixels in area)

When I tried the html file, I was using a Dell desktop at work. (my test machine)
It has 256MB of Ram and I think, just over 1Ghz.

Those who do crash your PCs, lets list them here and see if there is something about the vulnerability that may be case specific (like say a vidcard that can't draw the pixels?)

I know that it isn't cheasy onboard video cards (not all anyways) since the Dell I use has one f*** up onboard video that no OS recognizes without installed driver (not even a Live Linux like Knoppix or Ubuntu... dammit)

So shall we generate some list to see if it is isolated to a specific hardware or software?

When I tried the html file, I was using a Dell desktop at work. (my test machine)
It has 256MB of Ram and I think, just over 1Ghz.

Those who do crash your PCs, lets list them here and see if there is something about the vulnerability that may be case specific (like say a vidcard that can't draw the pixels?)

I know that it isn't cheasy onboard video cards (not all anyways) since the Dell I use has one f*** up onboard video that no OS recognizes without installed driver (not even a Live Linux like Knoppix or Ubuntu... dammit)

So shall we generate some list to see if it is isolated to a specific hardware or software?

*** **** I give Up ***

*** **** I give Up ***