Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Javascript loop causes IE to crash

Javascript loop causes IE to crash

by Nikola Strahija on March 21st, 2002 IE contains a flaw in its JavaScript handling that makes it possible to crash all IE windows running in the same process. The impact is not very heavy, but more of a principal nature, since I believe that a web page: 1) shouldn't be able to crash the browser and 2) even if closing "it's own" window(s), shouldn't be able to affect other browser windows.


Confirmed vulnerable configurations:
IE 6 + Windows XP Professional
IE 6 + Windows 2000 Professional SP2
IE 5.5 + Windows 2000 Professional SP2 + Pre SP3 patches
IE 5.01 + Windows 2000 Professional SP2 + Pre SP3 patches
IE 5.01 + Windows NT 4 Workstation SP4

Probably other configurations are vulnerable too.

-= DETAILS =-

If IE encounters a web page running a JavaScript that is using
location.replace and then calls itself, thus causing a loop, IE will crash
and close all IE windows running in the same process.

Here's the example code:









IE Javascript Crash Test




If this code is sent to the browser for execution, either served from a
web server or opened as a local file, IE will crash.

On WinXP and WinNT4 IE dies quietly and does not leave any trace of the
incident, neither in Event Log or Dr. Watson.

On Win2k however, Dr. Watson is invoked and recording the crash as a stack
overflow. Below is a snippet from a Dr. Watson log created from this
incident (wrapping may occur).

Application exception occurred:
App: iexplore.exe (pid=808)
When: 2/3/2002 @ 17:20:31.934
Exception number: c00000fd (stack overflow)



State Dump for Thread Id 0x294

eax=000332a8 ebx=00000000 ecx=0000009a edx=00033288 esi=0000021a
edi=0000020a eip=77fcb12d esp=00033000 ebp=00033014 iopl=0 nv up ei pl nz
na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202


function: RtlAllocateHeap
77fcb10f 55 push ebp
77fcb110 8bec mov ebp,esp
77fcb112 6aff push 0xff
77fcb114 688026f877 push 0x77f82680
77fcb119 68a79dfb77 push 0x77fb9da7
77fcb11e 64a100000000 mov eax,fs:[00000000]
fs:00000000=????????
77fcb124 50 push eax
77fcb125 64892500000000 mov fs:[00000000],esp
fs:00000000=????????
77fcb12c 51 push ecx
FAULT ->77fcb12d 51 push ecx
77fcb12e 81ec74010000 sub esp,0x174
77fcb134 53 push ebx
77fcb135 56 push esi
77fcb136 57 push edi
77fcb137 8b7d08 mov edi,[ebp+0x8]
ss:00b105e6=????????
77fcb13a 897da4 mov [ebp+0xa4],edi
ss:00b105e6=????????
77fcb13d 8065b800 and byte ptr [ebp+0xb8],0x0
ss:00b105e6=??
77fcb141 8b450c mov eax,[ebp+0xc]
ss:00b105e6=????????
77fcb144 0b4710 or eax,[edi+0x10]
ds:00add7dc=????????
77fcb147 89450c mov [ebp+0xc],eax
ss:00b105e6=????????
77fcb14a a9600f037d test eax,0x7d030f60




However, what I have been able to conclude, this stack overflow is not
exploitable.



-= VENDOR INFORMATION =-

Microsoft was informed about this issue on Feb 8 2002.
After some mail exchaning between Microsoft Security Response Center and
I, Microsoft finally stated this:

In terms of the definition of a security vulnerability which we discuss
at
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/colum
ns/security/vulnrbl.asp crashing a browser would not be regarded as a
security vulnerability.


-= CREDITS =-

* Marcus Hufvudsson for additional investigation about this issue.
* All of you that believes in full disclosure.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »