<<< Date Index >>>     <<< Thread Index >>>

IE iFrame + Sun JVM + JS bug. Exploitable?



We encountered an interesting bug while working on our web interfaces. We 
posted it to Sun, but we are curious if the security community sees any way to 
exploit this in more than a DOS sense.  This isnt our speciality, that's why we 
are inquiring here.

This is a copy of the post to Sun's bug tracking, posted 2006-01-09

A DESCRIPTION OF THE PROBLEM :
Running a simple script on a web page using Internet Explorer cause the IE GUI 
Handles to grow up to 10000. This behavior can be reproduced only when running 
Sun's JVM V1.5.0_06.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
No error message. When application reaches over 10 000 GUI Handles it goes 
crazy. Windows flicking, resizing, moving. etc.  Looks like either handles that 
arent free are being re-used, or there's a buffer overflow into the memory 
space of these 10k handles.

REPRODUCIBILITY :
This bug can be reproduced.

In a web page, in IE6.
---------- BEGIN SOURCE ----------
<input name="cn"/>
<script>
        var i = 0;
        setInterval("i++; cn.value = i;", 10);
</script>

<applet width="10" height="10"></applet>
<iframe width="10" height="10"></iframe>

---------- END SOURCE ----------
Just monitor GDI handles (with processExplorer for example)

We tested on XP SP2, and Win2k SP4, fully patched.  Only version 1.5.0_06 
(latest) of Sun's JVM exhibit this bug. Previous version appear to be ok.  
MashX discovered/isolated this bug. Much thanks.

DrGuile