Stack overflow vulnerability in Internet Explorer exploitable trough VBScript and JScript scripting engines.
A stack overflow vulnerability that can be remotely exploited exists in the
Internet Explorer scripting engines, both VBscript and Jscript.
The thread stack can be quickly consumed and forced to cross its memory
boundaries.
That could be done by, for example, a simple recurrent-call infinite loop.
Although there is a protection preventing from continuation of the script
execution after the interpreter's stack has been
consumed, there is a lack in it, that could be exploited by invoking the change
of the "location" URL global
variable, before every call nesting level.
It also doesn't need the call to be strictly recurrent, any infinte call-loop
(even across JScript and VBScript functions)
or finite but deep enough to consume all the IE thread stack memory will
exploit this vulnerability as well.
To exploit this vulnerability an attacker has to induce a user to visit a
specialy
crafted web site where a malicious code exists.
DoS attack as well as remote code execution are possible.
The following configurations has been tested and found vulnerable:
Windows 2000 sp4 fully patched
Windows XP professional
Windows 98 SE
An example Proof of Concept DoS exploit:
http://www.anspi.pl/~fex/recurrboom.html
Vulnerability found and details provided by: porkythepig
Contact: porkythepig@xxxxxxxx