lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041126034226.8F1011AAAA@xfocus.org> Date: Fri, 26 Nov 2004 11:38:06 +0800 From: "isno" <isno@...cus.org> To: "Berend-Jan Wever" <skylined@...p.tudelft.nl>, "full-disclosure@...ts.netsys.com" <full-disclosure@...ts.netsys.com>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "vuln-dev@...urityfocus.com" <vuln-dev@...urityfocus.com> Cc: "secure@...rosoft.com" <secure@...rosoft.com> Subject: Re: MSIE flaws: nested array sort() loop Stack overflow exception I don't think this flaw is exploitable.In MSIE, any loop can lead to exception.Just like: <IFRAME SRC=?> save it as a html file, open it in IE, in about 30 seconds, it will cause a stack_overflow exception and exit. Because IE will not stop allocating stack buffer, until there is not enough stack space. = = = = = = = = = = = = = = = = = = = = >Hi all, > >Another flaw in IE: > ><HTML> > <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT> > <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT> ></HTML> > >Normally I would see if it's exploitable but I figure I'm not MS's pet bug finder/analyser... So, I've CC'ed this message to Microsoft. I'm sure they know their own product better then I do and can analyse the problem much faster. So if you want to know the impact of this vulnerability, ask them: I'm sure they will be more then willing to help you. I'm sure they will even reply to this message with technical details and a patch tomorrow. > >Added to the list: http://www.edup.tudelft.nl/~bjwever/advisory_ie_flaws.html > >Cheers, >SkyLined >http://www.edup.tudelft.nl/~bjwever > >PS. Don't think firefox will keep you save from hackers, I _know_ it won't ;) But more on that later... >PS2. Recursive function call will cause stack overflow causing write exception in guard page on a push, no control over registers. = = = = = = = = = = = = = = = = = = = = Cheers, isno isno@...cus.org 2004-11-26
Powered by blists - more mailing lists