IE iFrame + Sun JVM + JS bug. Exploitable?
We encountered an interesting bug while working on our web interfaces. We
posted it to Sun, but we are curious if the security community sees any way to
exploit this in more than a DOS sense. This isnt our speciality, that's why we
are inquiring here.
This is a copy of the post to Sun's bug tracking, posted 2006-01-09
A DESCRIPTION OF THE PROBLEM :
Running a simple script on a web page using Internet Explorer cause the IE GUI
Handles to grow up to 10000. This behavior can be reproduced only when running
Sun's JVM V1.5.0_06.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
No error message. When application reaches over 10 000 GUI Handles it goes
crazy. Windows flicking, resizing, moving. etc. Looks like either handles that
arent free are being re-used, or there's a buffer overflow into the memory
space of these 10k handles.
REPRODUCIBILITY :
This bug can be reproduced.
In a web page, in IE6.
---------- BEGIN SOURCE ----------
<input name="cn"/>
<script>
var i = 0;
setInterval("i++; cn.value = i;", 10);
</script>
<applet width="10" height="10"></applet>
<iframe width="10" height="10"></iframe>
---------- END SOURCE ----------
Just monitor GDI handles (with processExplorer for example)
We tested on XP SP2, and Win2k SP4, fully patched. Only version 1.5.0_06
(latest) of Sun's JVM exhibit this bug. Previous version appear to be ok.
MashX discovered/isolated this bug. Much thanks.
DrGuile