View Comments
From NTBUGTRAQ:
I expect this will be all over the web shortly.
This tiny bit of code will apparently crash any component of Windows that uses the IE rendering engine. That includes IE, Outlook Express and the Explorer itself.
[html]
[form]
[input type crash]
[/form]
[/html]
I’ve replaced the standard HTML tag characters with square brackets to make sure it can’t DoS you Microsoft Victims.
It seems to crash explorer.exe when the .html file containing the
code is copied into any folder.
Technical details:
IE tries to compare the type of the input field to “HIDDEN”, to see if it
should be rendered. When there is no type string, a null-pointer is used. mshtml.dll calls shlwapi.dll#158 @ 0x636f0037 with a pointer to a static unicode string “HIDDEN” and a null-pointer. shlwapi.dll#158 does a case-insensitive comparison of two unicode strings:
it reads from address 0×0 because of the null-pointer and thus causes an exception.
This is not exploitable, other then a DoS because there is no memory mapped @ 0×0 and even if you could load something there, you could only compare it to “HIDDEN” which gets you nowhere.
Plain HTML is a dangerous language 
My mail server rejects HTML email – and I’ve been criticised for being so “anal” about it. I guess things like this just validate the block.
