A stack overflow vulnerability that can be remotely exploited exists in the Internet Explorer scripting engines, both VBscript and Jscript. The thread stack can be quickly consumed and forced to cross its memory boundaries. That could be done by, for example, a simple recurrent-call infinite loop. Although there is a protection preventing from continuation of the script execution after the interpreter's stack has been consumed, there is a lack in it, that could be exploited by invoking the change of the "location" URL global variable, before every call nesting level. It also doesn't need the call to be strictly recurrent, any infinte call-loop (even across JScript and VBScript functions) or finite but deep enough to consume all the IE thread stack memory will exploit this vulnerability as well. To exploit this vulnerability an attacker has to induce a user to visit a specialy crafted web site where a malicious code exists. DoS attack as well as remote code execution are possible. The following configurations has been tested and found vulnerable: Windows 2000 sp4 fully patched Windows XP professional Windows 98 SE An example Proof of Concept DoS exploit: http://www.anspi.pl/~fex/recurrboom.html Vulnerability found and details provided by: porkythepig Contact: porkythepig@xxxxxxxx
