lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060216171450.4036.qmail@securityfocus.com>
Date: 16 Feb 2006 17:14:50 -0000
From: porkythepig@...pi.pl
To: bugtraq@...urityfocus.com
Subject: Stack overflow vulnerability in Internet Explorer exploitable
 trough VBScript and JScript scripting engines.


A stack overflow vulnerability that can be remotely exploited exists in the Internet Explorer scripting engines, both VBscript and Jscript.

The thread stack can be quickly consumed and forced to cross its memory boundaries.
That could be done by, for example, a simple recurrent-call infinite loop.
Although there is a protection preventing from continuation of the script execution after the interpreter's stack has been 
consumed, there is a lack in it, that could be exploited by invoking the change of the "location" URL global
variable, before every call nesting level.
It also doesn't need the call to be strictly recurrent, any infinte call-loop (even across JScript and VBScript functions)
or finite but deep enough to consume all the IE thread stack memory will exploit this vulnerability as well.

To exploit this vulnerability an attacker has to induce a user to visit a specialy
crafted web site where a malicious code exists.

DoS attack as well as remote code execution are possible.

The following configurations has been tested and found vulnerable:
Windows 2000 sp4 fully patched
Windows XP professional
Windows 98 SE

An example Proof of Concept DoS exploit:
http://www.anspi.pl/~fex/recurrboom.html


Vulnerability found and details provided by: porkythepig
Contact: porkythepig@...pi.pl


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ