咳,AY也研究溢出了?
2009/1/29 ayaREI <[email protected]>
> Periodically we get reports into the MSRC of stack exhaustion in
> client-side applications such as Internet Explorer, Word, etc. These are
> valid stability bugs that, fortunately, do not lead to an exploitable
> condition by itself (no potential for elevation of privilege). We wanted to
> clarify the distinction between stack exhaustion and stack buffer overflow.
> Stack buffer overflows often lead to elevation of privilege. Unfortunately,
> the literature tends to use stack overflow to refer to both cases, hence the
> confusion. The error code STATUS_STACK_BUFFER_OVERRUN (0xc0000409) refers to
> a stack buffer overflow while the error code STATUS_STACK_OVERFLOW
> (0xc00000fd) refers to stack exhaustion.
>
> On Bugtraq this morning, there was a public post of a stack exhaustion bug
> that, fortunately, does not lead to arbitrary code execution. Let's take a
> closer look at it and a few other examples. We'll start with today's Bugtraq
> posting:
>
> <INPUT type="text" name="A" value="CCCCCCCCCCCCCCCCCCCC(many thousands)">
>
> When IE attempts to parse this HTML, it runs out of stack space. Hooking up
> Windbg, you will observe the following first-chance exception:
>
> (f9c.5b8): Stack overflow - code c00000fd (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> eax=00000000 ebx=0337304c ecx=09410040 edx=0007c3c0 esi=00000000 edi=0346b800
> eip=77f66627 esp=03373000 ebp=03373000 iopl=0 nv up ei pl nz na pe nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
> 77f66627 56 push esi
>
> The stack is simply exhausted and there is no possibility of running
> arbitrary code in this case. Let's look at a few others.
>
> The next issue was also reported in IE recently:
>
> <SCRIPT>
> foo = new Array();
> while(true) {foo = new Array(foo).sort();}
> </SCRIPT>
>
> Again, the HTML has requested an extra-ordinary amount of stack space. IE
> attempts to allocate space and it eventually runs out. Unable to process the
> HTML, it returns a stack overflow / exhaustion error (0xc00000fd).
>
> One last example is from April 2008 and, again, it leads to a stack
> overflow/exhaustion error (0xc00000fd):
>
> var str = "aaaaaaaaaaaaaaa(many thousands)"
> document.myform.text.value = str
> document.myform.submit()
>
> <form name='myform'>
> <input name='text' type='text' />
> <input name='Submit' type='submit' />
> </form>
>
> As you can see, there are several ways of reaching a stack exhaustion
> condition. Fortunately, these are stability issues that by themselves cannot
> lead to remote code execution. This happens when a parsing client-side
> application cannot allocate enough stack space to complete an operation (as
> shown in the examples here where a web page was attempting to allocate as
> much stack as possible and eventually runs out of space).
>
> We are always happy to triage bugs sent to [email protected]. Please
> send them in to us. We are definitely committed to engineering and security
> excellence. We evaluate every report and determine whether to service them
> as security issues or whether to hand them off to the product team to fix as
> reliability and stability issues. For each security issues, we will triage
> against the SDL bug bar (link to sample bug
> bar<http://msdn.microsoft.com/en-us/library/cc307404.aspx>) and
> address via the MSRC security bulletin process. All issues (such as these
> stack exhaustion bugs) that are stability or reliability issues are triaged
> according to customer impact and addressed in future releases of the
> product.
>
> - Jonathan Ness, SVRD blogger
>
> *Posting is provided "AS IS" with no warranties, and confers no rights.*
>
> References:
>
> STATUS_STACK_OVERFLOW (0xc00000fd ):
>
> - Debugging a Stack Overflow
> http://msdn.microsoft.com/en-us/library/cc267849.aspx
> - StackOverflowException Class
>
> http://msdn.microsoft.com/en-us/library/system.stackoverflowexception(VS.71).aspx
>
>
> STATUS_STACK_BUFFER_OVERRUN (0xc0000409):
>
> - Analyze Crashes to Find Security Vulnerabilities in Your Apps
> http://msdn.microsoft.com/en-us/magazine/cc163311.aspx
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [email protected]
-~----------~----~----~----~------~----~------~--~---
