Vulnerability Development mailing list archives

Re: Stack Overflow in IE 5 (NT 4.0)

From: "Sherrod, Andrew" <andrew.sherrod () TFN COM>
Date: Mon, 21 Aug 2000 09:07:41 -0400

That may explain the difference.
I have seen some posts in various places suggesting some bugs are limited to
the US-english versions of IE. Though why bad programming seems more
prevalent in the domestic version is a complete mystery.

AGS

-----Original Message-----
From: herakel () UNIV HAIFA AC IL [mailto:herakel () UNIV HAIFA AC IL]
Sent: Sunday, August 20, 2000 3:22 AM
To: andrew.sherrod () tfn com
Cc: VULN-DEV () SECURITYFOCUS COM
Subject: RE: Stack Overflow in IE 5 (NT 4.0)


It is IE 5.00.2919.6307
My NT is hebrew enabled. Version 4.0 Build 1381 SP 5

-----Original Message-----
From: Sherrod, Andrew [mailto:andrew.sherrod () tfn com]
Sent: Wednesday, August 16, 2000 4:28 PM
To: 'herakel () UNIV HAIFA AC IL';
Subject: RE: Stack Overflow in IE 5 (NT 4.0)


Which specific IE version?

My tests failed on IE 5.00.2014.0216
NT 4.0 Build 1381 SP 5

Also, I have to change the first report:

From one to two blank buttons appear on the task bar. Two is more common,

but I have since seen a single button as well.

AGS

-----Original Message-----
From: Herakel Endrawes [mailto:herakel () UNIV HAIFA AC IL]
Sent: Wednesday, August 16, 2000 3:56 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Stack Overflow in IE 5 (NT 4.0)

IE 5 on NT 4. SP5 works fine. Does not open any blank buttons. A new URL
open fine also.

-----Original Message-----
From: Sherrod, Andrew [mailto:andrew.sherrod () TFN COM]
Sent: Tuesday, August 15, 2000 6:00 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Stack Overflow in IE 5 (NT 4.0)

I am uncertain if this is exploitable, but it seems a possibility:

Create a web page as follows:

<HTML>
<HEAD>
<TITLE>
INFINITE FRAMES
</TITLE>
<FRAMESET rows=80,20>
<FRAME src="b.html">
<FRAME src="http://www.yahoo.com";>
</FRAMESET>
</HTML>

Save as "a.html".

Repeate, changing b to c and saving page as "b.html".

Continue through "q.html", which refers not to "r.html", but back to
"a.html":

(Text of q.html):

<HTML>
<HEAD>
<TITLE>
INFINITE FRAMES
</TITLE>
<FRAMESET cols=80,20>
<FRAME src="a.html">
<FRAME src="http://www.yahoo.com";>
</FRAMESET>
</HTML>

(Some cursory tests suggest 17 frames as the minimum to produce the
overflow.)

This page will have no effect on Netscape, which loads frames up through
q.html, leaving an empty frame where a.html should be.

IE 5 does the same, but also creates two blank buttons on the task bar and
sometimes briefly creates a floating white square in the upper left corner
of the screen. It does not crash immediately, but when a new URL is entered
a stack overflow occurs.

I haven't had time to fully examine this, or see if there is a means to
exploit the overflow.

AGS

Current thread:

Stack Overflow in IE 5 (NT 4.0) Sherrod, Andrew (Aug 15)
- Re: Stack Overflow in IE 5 (NT 4.0) Erik Tayler (Aug 15)
- <Possible follow-ups>
- Re: Stack Overflow in IE 5 (NT 4.0) Herakel Endrawes (Aug 16)
- Re: Stack Overflow in IE 5 (NT 4.0) Sherrod, Andrew (Aug 17)
- Re: Stack Overflow in IE 5 (NT 4.0) Sherrod, Andrew (Aug 21)