Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MS Internet Explorer / MSN ICC Profiles Crash PoC Exploit

🗓️ 07 Jul 2008 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 26 Views

Crash vulnerability in MS Internet Explorer/Microsoft Edge due to buffer overflow in processing embedded ICC Profile

Code

                                                */-----------------------------edwardgagnon--------------/*

Can crash msn and execute commands

Windows has a buffer overflow vulnerability in the processing of embedded ICC Profiles 
inside images (jpeg, tiff, etc...)

To test - create a jpeg in adobe photoshop and save it with the ICC checkbox enabled, 
make sure you set it to RGB (that does not really matter, just so you can find which 
bytes to change for the test).

Open in a hex editor and search for "RGB XYZ " (no quotes, case sensitive)

You are now inside the header of the ICC Profile which is 128 bytes.
104 bytes away is a 4 byte number which is the Tag Count of the ICC Profile.
Change this to "FF FF FF FF" (it will be followed by a 4 byte string which is 
part of a 12 byte tag. there are several such tags, it should help you identify 
which bytes to change).

Save, open in internet explorer, and see the crash.

and this is the crash:

CODE
.text:73B323BC loc_73B323BC:                          ; CODE XREF: GetColorProfileElement+D6j
.text:73B323BC                 cmp     [ebx], eax
.text:73B323BE                 jz      short loc_73B323DD
.text:73B323C0                 add     ebx, 0Ch
.text:73B323C3                 inc     edx
.text:73B323C4                 cmp     edx, ecx
.text:73B323C6                 jb      short loc_73B323BC
.text:73B323C8
.text:73B323C8 loc_73B323C8:                          ; CODE XREF: GetColorProfileElement+CAj
.text:73B323C8                 push    7DCh           ; dwErrCode
.text:73B323CD                 call    ds:SetLastError


ebx is controlable. but gets a read access violation.

....be kool and create a PoC and change your sig to the exploit.jpg

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Jul 2008 00:00Current
7.1High risk
Vulners AI Score7.1
ms internet explorermicrosoft edgebuffer overflowicc profilescrash vulnerability
26