Re: MSIE flaws: nested array sort() loop Stack overflow exception

From: isno (isno_at_xfocus.org)
Date: 11/26/04

  • Next message: Marco Mella: "More Browser on Macosx flaws: nested array sort() loop Stack overflow exception"
    Date: Fri, 26 Nov 2004 11:38:06 +0800
    To: "Berend-Jan Wever" <skylined@edup.tudelft.nl>, "full-disclosure@lists.netsys.com" <full-disclosure@lists.netsys.com>, "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, "vuln-dev@securityfocus.com" <vuln-dev@securityfocus.com>
    
    

    I don't think this flaw is exploitable.In MSIE, any loop can lead to exception.Just like:

    <IFRAME SRC=?>

    save it as a html file, open it in IE, in about 30 seconds, it will cause a stack_overflow exception and exit. Because IE will not stop allocating stack buffer, until there is not enough stack space.

    = = = = = = = = = = = = = = = = = = = =

    >Hi all,
    >
    >Another flaw in IE:
    >
    ><HTML>
    > <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
    > <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
    ></HTML>
    >
    >Normally I would see if it's exploitable but I figure I'm not MS's pet bug finder/analyser... So, I've CC'ed this message to Microsoft. I'm sure they know their own product better then I do and can analyse the problem much faster. So if you want to know the impact of this vulnerability, ask them: I'm sure they will be more then willing to help you. I'm sure they will even reply to this message with technical details and a patch tomorrow.
    >
    >Added to the list: http://www.edup.tudelft.nl/~bjwever/advisory_ie_flaws.html
    >
    >Cheers,
    >SkyLined
    >http://www.edup.tudelft.nl/~bjwever
    >
    >PS. Don't think firefox will keep you save from hackers, I _know_ it won't ;) But more on that later...
    >PS2. Recursive function call will cause stack overflow causing write exception in guard page on a push, no control over registers.

    = = = = = = = = = = = = = = = = = = = =
                            

                               Cheers,
            isno
            isno@xfocus.org
              2004-11-26


  • Next message: Marco Mella: "More Browser on Macosx flaws: nested array sort() loop Stack overflow exception"

    Relevant Pages

    • Re: MSIE flaws: nested array sort() loop Stack overflow exception
      ... <IFRAME SRC=?> ... save it as a html file, open it in IE, in about 30 seconds, it will cause a stack_overflow exception and exit. ... Because IE will not stop allocating stack buffer, until there is not enough stack space. ... Recursive function call will cause stack overflow causing write exception in guard page on a push, ...
      (Bugtraq)
    • Re: MSIE flaws: nested array sort() loop Stack overflow exception
      ... <IFRAME SRC=?> ... save it as a html file, open it in IE, in about 30 seconds, it will cause a stack_overflow exception and exit. ... Because IE will not stop allocating stack buffer, until there is not enough stack space. ... Recursive function call will cause stack overflow causing write exception in guard page on a push, ...
      (Full-Disclosure)
    • Re: x86 exception handling and stack demand
      ... When an exception occurs that will be passed down to user mode as an SEH exception, the kernel arranges for control to return to user mode at a special function in NTDLL, with several parameters on the stack containing information about the exception. ... In XP and later, the system stores a pointer to the initial stack allocation block in the TEB that is used by the kernel to decommit the stack via NtFreeVirtualMemory when the thread is terminated in a non-graceful fashion, closing this leak. ...
      (microsoft.public.win32.programmer.kernel)
    • [PATCH] x86: style fascism for xen assemblies
      ... * a view to being able to inline as much as possible. ... push %eax ... * This is run where a normal iret would be run, with the same stack setup: ... In order to deliver the nested exception properly, ...
      (Linux-Kernel)
    • Re: new interpreter ("Fast RIR")
      ... in my stack-machine interpreter, a very large number of instructions ... underflow nor overflow during an operation, ... if you know the max number of stack items ever used, it is possible to allocate stack space for just that many items. ... yes, this is why I want to factor this out, as at present, the generation of exception events is a lot harder to factor out, so better would be to execute code in a form where static elimination of most possible exception cases is possible. ...
      (comp.lang.misc)