lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060307185918.6844.qmail@securityfocus.com>
Date: 7 Mar 2006 18:59:18 -0000
From: drguile@...mail.com
To: bugtraq@...urityfocus.com
Subject: IE iFrame + Sun JVM + JS bug. Exploitable?


We encountered an interesting bug while working on our web interfaces. We posted it to Sun, but we are curious if the security community sees any way to exploit this in more than a DOS sense.  This isnt our speciality, that's why we are inquiring here.

This is a copy of the post to Sun's bug tracking, posted 2006-01-09

A DESCRIPTION OF THE PROBLEM :
Running a simple script on a web page using Internet Explorer cause the IE GUI Handles to grow up to 10000. This behavior can be reproduced only when running Sun's JVM V1.5.0_06.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
No error message. When application reaches over 10 000 GUI Handles it goes crazy. Windows flicking, resizing, moving. etc.  Looks like either handles that arent free are being re-used, or there's a buffer overflow into the memory space of these 10k handles.

REPRODUCIBILITY :
This bug can be reproduced.

In a web page, in IE6.
---------- BEGIN SOURCE ----------
<input name="cn"/>
<script>
	var i = 0;
	setInterval("i++; cn.value = i;", 10);
</script>

<applet width="10" height="10"></applet>
<iframe width="10" height="10"></iframe>

---------- END SOURCE ----------
Just monitor GDI handles (with processExplorer for example)

We tested on XP SP2, and Win2k SP4, fully patched.  Only version 1.5.0_06 (latest) of Sun's JVM exhibit this bug. Previous version appear to be ok.  MashX discovered/isolated this bug. Much thanks.

DrGuile


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ