> Here's a
detailed description of what's going wrong with [STYLE]@;/*
> > The problem is the unterminated comment "/*"; IE computes the length of > the comment for a memcpy opperation by substracting the end pointer form > the start pointer. The comment starts behind "/*" and should end at "*/", > but since there is no terminator, the start of the string is used. IE > there for calculates the string to be -2 unicode characters long. The > subsequent memcpy will try to copy 0xFFFFFFFE bytes untill it gets a read > or write exception. (You will see the offending instruction is a REP > MOVSD) > > Unfortunately for us hackers, I believe you cannot control the length > value for the memcpy other then setting it to -2. So you will always cause > a read or write exception. You will only overwrite a small part of the > heap before the exception is caused so overwriting the SEH to controlling > execution is also ruled out. > > Conclusion: lame DoS > > I did find another way to use this to cause an exception at a different > location: > [SCRIPT] > <snip> >
[/SCRIPT]
> This will crash because of a null pointer in a CMP [ESI], 0. > It didn't look interesting to me, so no detailed investigation. > > Cheers, Cheers, nice analysis, nasty bug, I bet the guy who wrote the code is feeling very sheepish :o) TCS |
- Re: [Full-Disclosure] Crash IE w... Matt Houston
- RE: [Full-Disclosure] Crash IE with ... Arjun Pednekar
- RE: [Full-Disclosure] Crash IE w... Stephen Taylor
- Re: [Full-Disclosure] Crash IE with 11 bytes ;) The Central Scroutinizer
- RE: [Full-Disclosure] Crash IE with 11 bytes ;) Stephen Taylor
- Re: [Full-Disclosure] Crash IE with 11 bytes ;) Berend-Jan Wever
- Re: [Full-Disclosure] Crash IE with 11 bytes... The Central Scroutinizer
- RE: [Full-Disclosure] Crash IE with 11 bytes ;) Schmidt, Michael R.
- RE: [Full-Disclosure] Crash IE with 11 bytes... Phuong Nguyen
- Re: [Full-Disclosure] Crash IE with 11 bytes ;) Willem Koenings
- Aaron Gray