Re: MSIE flaws: nested array sort() loop Stack overflow exception

From: isno (isno_at_xfocus.org)
Date: 11/26/04

  • Next message: Marco Mella: "More Browser on Macosx flaws: nested array sort() loop Stack overflow exception"
    Date: Fri, 26 Nov 2004 11:38:06 +0800
    To: "Berend-Jan Wever" <skylined@edup.tudelft.nl>, "full-disclosure@lists.netsys.com" <full-disclosure@lists.netsys.com>, "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, "vuln-dev@securityfocus.com" <vuln-dev@securityfocus.com>
    
    

    I don't think this flaw is exploitable.In MSIE, any loop can lead to exception.Just like:

    <IFRAME SRC=?>

    save it as a html file, open it in IE, in about 30 seconds, it will cause a stack_overflow exception and exit. Because IE will not stop allocating stack buffer, until there is not enough stack space.

    = = = = = = = = = = = = = = = = = = = =

    >Hi all,
    >
    >Another flaw in IE:
    >
    ><HTML>
    > <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
    > <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
    ></HTML>
    >
    >Normally I would see if it's exploitable but I figure I'm not MS's pet bug finder/analyser... So, I've CC'ed this message to Microsoft. I'm sure they know their own product better then I do and can analyse the problem much faster. So if you want to know the impact of this vulnerability, ask them: I'm sure they will be more then willing to help you. I'm sure they will even reply to this message with technical details and a patch tomorrow.
    >
    >Added to the list: http://www.edup.tudelft.nl/~bjwever/advisory_ie_flaws.html
    >
    >Cheers,
    >SkyLined
    >http://www.edup.tudelft.nl/~bjwever
    >
    >PS. Don't think firefox will keep you save from hackers, I _know_ it won't ;) But more on that later...
    >PS2. Recursive function call will cause stack overflow causing write exception in guard page on a push, no control over registers.

    = = = = = = = = = = = = = = = = = = = =
                            

                               Cheers,
            isno
            isno@xfocus.org
              2004-11-26


  • Next message: Marco Mella: "More Browser on Macosx flaws: nested array sort() loop Stack overflow exception"