IE DoS and possibly exploitable stack overflow

[Berend-Jan Wever <skylined () edup tudelft nl>]

------------------------------------------------------------
------------------------------------------------------------
---------------
Advisory
I discovered a flaw in IE a while ago that can kill IE and 
can halt the entier system under windows 9x. It didn't seem 
like a big deal to me at the time, but seeing the fuzz 
about Matthew Murphy's discovery of a similar IE DoS (see 
bugtraq post at the bottom of this message) I hereby 
republish it and inform the vendor, Microsoft, about the 
problem.

Kind regards,


Berend-Jan Wever

------------------------------------------------------------
------------------------------------------------------------
---------------
Affected software versions
Every versionof IE (up to 6.0 fully patched) seems to be 
affected. The stability of Windows 9x can be affected by 
crashing IE.

------------------------------------------------------------
------------------------------------------------------------
---------------
Explanation of the flaw
Exploitation causes a stack overflow. This will probably be 
exploitable but I am not familiar with stack overflow 
exploitation so I will leave that to the real h4x0rs.

Basic example of the flaw:
<IMG src="::" onError="this.src='::';">
What this does:
1) It creates an image with an invalid src
2) IE tries to show the picture but can't: it fires the 
onError-event
3) The onError-event resets the src attribute to the same 
invalid src.
4) goto 2

As you can see, it's based on an infinite loop: The onError 
event causes itself. Every time the onError event fires 
another return addresses is pushed on the stack until it's 
filled up and overflows.
Various variants of this error cause various overflows in 
various DLL's.
IE 6.0 seems to be better protected against fatal crashes 
than IE 5.0 and windows 2000 seems te be unaffected while 
some variants will cause overflow in kernel32.dll and halt 
win9x.
IE 6.0 will report the overflow with a popup message and 
continue to function most of the time but some variants 
will terminate all open IE windows without notification.

------------------------------------------------------------
------------------------------------------------------------
---------------
More details
More details about various variants of this flaw can be 
found on my website. As you can imagine there are a lot of 
possibilities to create infinite loops.
http://spoor12.edup.tudelft.nl

------------------------------------------------------------
------------------------------------------------------------
---------------
Vendor status
Microsoft is hereby informed of the problem. As far as I 
know, Infinite loops have been known to be a problem for 
some time now, that's why IE 6.0 is more stable (but not 
stable enough.)

------------------------------------------------------------
------------------------------------------------------------
---------------
Origional message to bugtraq by Matthew Murphy
The Flaw

    OBJECT elements are used for embedded OLE in HTML 
documents.  A flaw in
the way Microsoft Internet Explorer processes this 
directive allows a page
that causes a loop in object dependancy, or loads itself in 
a certain manner
in an OBJECT, to completely crash Internet Explorer.

The Exploit

    To date, I have discovered 4 points of exploitation to 
crash the
browser.  My favorite example is this one:

---- [ CRASH.HTM ] ----
&lt;OBJECT DATA="CRASH.HTM" TYPE="text/html">&lt;/OBJECT&gt;
---- [ CRASH.HTM ] ----

IE dies inside shdocvw.dll with a call stack overflow.

Fixes

    Set "Run ActiveX Controls and Plugins" to disabled in 
ALL zones.  An XML
Island DSO may even be able to get past this, however.  I 
would expect this
bug to fixed in a future IE service pack, though there's 
been no
confirmation/details of that from Microsoft.