Periodically we get reports into the MSRC of stack exhaustion in client-side
applications such as Internet Explorer, Word, etc. These are valid stability
bugs that, fortunately, do not lead to an exploitable condition by itself
(no potential for elevation of privilege). We wanted to clarify the
distinction between stack exhaustion and stack buffer overflow. Stack buffer
overflows often lead to elevation of privilege. Unfortunately, the
literature tends to use stack overflow to refer to both cases, hence the
confusion. The error code STATUS_STACK_BUFFER_OVERRUN (0xc0000409) refers to
a stack buffer overflow while the error code STATUS_STACK_OVERFLOW
(0xc00000fd) refers to stack exhaustion.
On Bugtraq this morning, there was a public post of a stack exhaustion bug
that, fortunately, does not lead to arbitrary code execution. Let's take a
closer look at it and a few other examples. We'll start with today's Bugtraq
posting:
<INPUT type="text" name="A" value="CCCCCCCCCCCCCCCCCCCC(many thousands)">
When IE attempts to parse this HTML, it runs out of stack space. Hooking up
Windbg, you will observe the following first-chance exception:
(f9c.5b8): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0337304c ecx=09410040 edx=0007c3c0 esi=00000000 edi=0346b800
eip=77f66627 esp=03373000 ebp=03373000 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
77f66627 56 push esi
The stack is simply exhausted and there is no possibility of running
arbitrary code in this case. Let's look at a few others.
The next issue was also reported in IE recently:
<SCRIPT>
foo = new Array();
while(true) {foo = new Array(foo).sort();}
</SCRIPT>
Again, the HTML has requested an extra-ordinary amount of stack space. IE
attempts to allocate space and it eventually runs out. Unable to process the
HTML, it returns a stack overflow / exhaustion error (0xc00000fd).
One last example is from April 2008 and, again, it leads to a stack
overflow/exhaustion error (0xc00000fd):
var str = "aaaaaaaaaaaaaaa(many thousands)"
document.myform.text.value = str
document.myform.submit()
<form name='myform'>
<input name='text' type='text' />
<input name='Submit' type='submit' />
</form>
As you can see, there are several ways of reaching a stack exhaustion
condition. Fortunately, these are stability issues that by themselves cannot
lead to remote code execution. This happens when a parsing client-side
application cannot allocate enough stack space to complete an operation (as
shown in the examples here where a web page was attempting to allocate as
much stack as possible and eventually runs out of space).
We are always happy to triage bugs sent to [email protected]. Please send
them in to us. We are definitely committed to engineering and security
excellence. We evaluate every report and determine whether to service them
as security issues or whether to hand them off to the product team to fix as
reliability and stability issues. For each security issues, we will triage
against the SDL bug bar (link to sample bug
bar<http://msdn.microsoft.com/en-us/library/cc307404.aspx>) and
address via the MSRC security bulletin process. All issues (such as these
stack exhaustion bugs) that are stability or reliability issues are triaged
according to customer impact and addressed in future releases of the
product.
- Jonathan Ness, SVRD blogger
*Posting is provided "AS IS" with no warranties, and confers no rights.*
References:
STATUS_STACK_OVERFLOW (0xc00000fd ):
- Debugging a Stack Overflow
http://msdn.microsoft.com/en-us/library/cc267849.aspx
- StackOverflowException Class
http://msdn.microsoft.com/en-us/library/system.stackoverflowexception(VS.71).aspx
STATUS_STACK_BUFFER_OVERRUN (0xc0000409):
- Analyze Crashes to Find Security Vulnerabilities in Your Apps
http://msdn.microsoft.com/en-us/magazine/cc163311.aspx
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [email protected]
-~----------~----~----~----~------~----~------~--~---
