Stack overflow vulnerability in Internet Explorer exploitable trough VBScript and JScript scripting engines.

[porkythepig () anspi pl]

A stack overflow vulnerability that can be remotely exploited exists in the Internet Explorer scripting engines, both 
VBscript and Jscript.

The thread stack can be quickly consumed and forced to cross its memory boundaries.
That could be done by, for example, a simple recurrent-call infinite loop.
Although there is a protection preventing from continuation of the script execution after the interpreter's stack has 
been 
consumed, there is a lack in it, that could be exploited by invoking the change of the "location" URL global
variable, before every call nesting level.
It also doesn't need the call to be strictly recurrent, any infinte call-loop (even across JScript and VBScript 
functions)
or finite but deep enough to consume all the IE thread stack memory will exploit this vulnerability as well.

To exploit this vulnerability an attacker has to induce a user to visit a specialy
crafted web site where a malicious code exists.

DoS attack as well as remote code execution are possible.

The following configurations has been tested and found vulnerable:
Windows 2000 sp4 fully patched
Windows XP professional
Windows 98 SE

An example Proof of Concept DoS exploit:
http://www.anspi.pl/~fex/recurrboom.html


Vulnerability found and details provided by: porkythepig
Contact: porkythepig () anspi pl