Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
IE iFrame + Sun JVM + JS bug. Exploitable?
Date: Tue Mar 07 2006 - 12:59:18 CST
We encountered an interesting bug while working on our web interfaces. We posted it to Sun, but we are curious if the security community sees any way to exploit this in more than a DOS sense. This isnt our speciality, that's why we are inquiring here.
This is a copy of the post to Sun's bug tracking, posted 2006-01-09
A DESCRIPTION OF THE PROBLEM :
Running a simple script on a web page using Internet Explorer cause the IE GUI Handles to grow up to 10000. This behavior can be reproduced only when running Sun's JVM V1.5.0_06.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
No error message. When application reaches over 10 000 GUI Handles it goes crazy. Windows flicking, resizing, moving. etc. Looks like either handles that arent free are being re-used, or there's a buffer overflow into the memory space of these 10k handles.
This bug can be reproduced.
In a web page, in IE6.
---------- BEGIN SOURCE ----------
var i = 0;
setInterval("i++; cn.value = i;", 10);
<applet width="10" height="10"></applet>
<iframe width="10" height="10"></iframe>
---------- END SOURCE ----------
Just monitor GDI handles (with processExplorer for example)
We tested on XP SP2, and Win2k SP4, fully patched. Only version 1.5.0_06 (latest) of Sun's JVM exhibit this bug. Previous version appear to be ok. MashX discovered/isolated this bug. Much thanks.