From hi.baidu.com/monyer/blog/item/d0f5d8b48fc442758bd4b2a4.html
Char 192 is
<font face="xyz[0xC0]">not </font><font face=" onmouseover=alert(192) s=[0xC0]" >available</font>
0xC0 is one of the 32 first bytes of 2-byte sequences (0xC0-0xDF) in UTF-8. So when IE parses the above code, it will consider 0xC0 and the following quote as a sequence, and therefore these two pairs of FONT elements will become one with
"xyz[0xC0]">not </font><font face="
as the value of FACE parameter. The second 0xC0 will start another 2-byte sequence as a value of NOTEXIST parameter which is not quoted. Due to a space character following by the quote, 0xE0-0xEF which are first bytes of 3-byte sequences, together with the following quote and one space character will be considered as the value of NOTEXIST parameter.
Essentially, certain bytes indicate the start of a 3-byte character in a UTF-8 string. If those bytes make their way onto a webpage, IE will eat up the next two bytes even if the resulting three bytes don't make up a valid UTF-8 character. This can cause IE to eat up ending quotes in HTML attributes, wreaking XSS-flavored havoc.
The article is about IE6, so I have two tightly-coupled questions:
If I understand the vulnerability correctly, it was addressed in 2006 in Microsoft Security Bulletin MS06-021.
A remote code execution vulnerability exists in the way Internet Explorer decodes specially crafted UTF-8 encoded HTML. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited the specially crafted Web site.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With