Stack overflow vulnerability in Internet Explorer exploitable trough VBScript and JScript scripting engines. Feb 16 2006 05:14PM
porkythepig anspi pl (1 replies)
A stack overflow vulnerability that can be remotely exploited exists in the Internet Explorer scripting engines, both VBscript and Jscript.

The thread stack can be quickly consumed and forced to cross its memory boundaries.
That could be done by, for example, a simple recurrent-call infinite loop.
Although there is a protection preventing from continuation of the script execution after the interpreter's stack has been
consumed, there is a lack in it, that could be exploited by invoking the change of the "location" URL global
variable, before every call nesting level.
It also doesn't need the call to be strictly recurrent, any infinte call-loop (even across JScript and VBScript functions)
or finite but deep enough to consume all the IE thread stack memory will exploit this vulnerability as well.

To exploit this vulnerability an attacker has to induce a user to visit a specialy
crafted web site where a malicious code exists.

DoS attack as well as remote code execution are possible.

The following configurations has been tested and found vulnerable:
Windows 2000 sp4 fully patched
Windows XP professional
Windows 98 SE

An example Proof of Concept DoS exploit:

Vulnerability found and details provided by: porkythepig
Contact: porkythepig (at) anspi (dot) pl [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus