IE DoS and possibly exploitable stack overflow
Date: 24 Apr 2002 14:54:49 -0000
From: Berend-Jan Wever <skylined@edup.tudelft.nl>
To: bugtraq@securityfocus.com
Subject: IE DoS and possibly exploitable stack overflow
------------------------------------------------------------
------------------------------------------------------------
---------------
Advisory
I discovered a flaw in IE a while ago that can kill IE and
can halt the entier system under windows 9x. It didn't seem
like a big deal to me at the time, but seeing the fuzz
about Matthew Murphy's discovery of a similar IE DoS (see
bugtraq post at the bottom of this message) I hereby
republish it and inform the vendor, Microsoft, about the
problem.
Kind regards,
Berend-Jan Wever
------------------------------------------------------------
------------------------------------------------------------
---------------
Affected software versions
Every versionof IE (up to 6.0 fully patched) seems to be
affected. The stability of Windows 9x can be affected by
crashing IE.
------------------------------------------------------------
------------------------------------------------------------
---------------
Explanation of the flaw
Exploitation causes a stack overflow. This will probably be
exploitable but I am not familiar with stack overflow
exploitation so I will leave that to the real h4x0rs.
Basic example of the flaw:
<IMG src="::" onError="this.src='::';">
What this does:
1) It creates an image with an invalid src
2) IE tries to show the picture but can't: it fires the
onError-event
3) The onError-event resets the src attribute to the same
invalid src.
4) goto 2
As you can see, it's based on an infinite loop: The onError
event causes itself. Every time the onError event fires
another return addresses is pushed on the stack until it's
filled up and overflows.
Various variants of this error cause various overflows in
various DLL's.
IE 6.0 seems to be better protected against fatal crashes
than IE 5.0 and windows 2000 seems te be unaffected while
some variants will cause overflow in kernel32.dll and halt
win9x.
IE 6.0 will report the overflow with a popup message and
continue to function most of the time but some variants
will terminate all open IE windows without notification.
------------------------------------------------------------
------------------------------------------------------------
---------------
More details
More details about various variants of this flaw can be
found on my website. As you can imagine there are a lot of
possibilities to create infinite loops.
http://spoor12.edup.tudelft.nl
------------------------------------------------------------
------------------------------------------------------------
---------------
Vendor status
Microsoft is hereby informed of the problem. As far as I
know, Infinite loops have been known to be a problem for
some time now, that's why IE 6.0 is more stable (but not
stable enough.)
------------------------------------------------------------
------------------------------------------------------------
---------------
Origional message to bugtraq by Matthew Murphy
The Flaw
OBJECT elements are used for embedded OLE in HTML
documents. A flaw in
the way Microsoft Internet Explorer processes this
directive allows a page
that causes a loop in object dependancy, or loads itself in
a certain manner
in an OBJECT, to completely crash Internet Explorer.
The Exploit
To date, I have discovered 4 points of exploitation to
crash the
browser. My favorite example is this one:
---- [ CRASH.HTM ] ----
<OBJECT DATA="CRASH.HTM" TYPE="text/html"></OBJECT>
---- [ CRASH.HTM ] ----
IE dies inside shdocvw.dll with a call stack overflow.
Fixes
Set "Run ActiveX Controls and Plugins" to disabled in
ALL zones. An XML
Island DSO may even be able to get past this, however. I
would expect this
bug to fixed in a future IE service pack, though there's
been no
confirmation/details of that from Microsoft.
