lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: rms at computerbytesman.com (Richard M. Smith)
Subject: IE6 crash bug; call thru unintialized pointer

Hi,

I ran across an IE6 crash bug while developing a JavaScript
debugger.  Here's a demo page that shows the problem:

http://www.computerbytesman.com/js/crash/crash.htm

What makes the bug interesting, is that the crash is caused by IE
dereferencing an uninititalized pointer.  These dereferences happen in
random places in the code.  The most interesting location I saw was in a
CALL instruction.  

I don't really have the time to determine if the bug is exploitable to
run code.

The bug may also be present in earlier versions of IE.

This is one of many crash bugs in IE that are present in the fringes of
the IE DOM.  All the other bugs that I've found so far are just null
pointer dereferences which I think are harmless.

Richard M. Smith
http://www.ComputerBytesMan.com

PS.  On a few machines, the demo must be reload a few times for a crash
to occur.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ