Re: Remote overflow in MSIE script action handlers (mshtml.dll)

[Michal Zalewski <lcamtuf () dione ids pl>]

On Thu, 16 Mar 2006, Master Phoxpherus wrote:

> Hmm. I'm running a Windows 98 SE box and just tried what you said.
> Didn't effect me "instantly" or after a time period. You sure you're not
> just seeing shit? :P

Yes, and a number of people have confirmed this problem thus far
(including the author of the initial reply to my post). I did not test it
on Windows 98, however, and I cannot (nor want to) comment on its memory
management antics.

> Plus, keeping it real, there's a fair difference between a BoF that you
> can perform easily remotely, and a BoF you have to talk people into.
> "Hey, dude... can you just type <command> and if it don't work, hit
> refresh a few times?" ... can you see it?

Yes, I can. The instructions I provided are *not* a prerequisite to
overwrite memory. They're merely a recommendation to make the PoC reliably
crash your browser, should you want to confirm the problem independently
without much research.

I have all reasons to believe that this problem *is* exploitable without
having to talk anyone into it - having mshtml.dll render a specially
crafted webpage or a sequence of meta-refresh webpages is very much
sufficient.

/mz