扂岆圉裂赽ㄛ妦繫飲祥雅腔.... 呇葭珩祥諒諒扂陛 On 1堎29, 狟敁5奀41煦, raystyle <[email protected]> wrote: > 褥ㄛAY珩旃噶祛堤賸ˋ > > 2009/1/29 ayaREI <[email protected]> > > > > > Periodically we get reports into the MSRC of stack exhaustion in > > client-side applications such as Internet Explorer, Word, etc. These are > > valid stability bugs that, fortunately, do not lead to an exploitable > > condition by itself (no potential for elevation of privilege). We wanted to > > clarify the distinction between stack exhaustion and stack buffer overflow. > > Stack buffer overflows often lead to elevation of privilege. Unfortunately, > > the literature tends to use stack overflow to refer to both cases, hence the > > confusion. The error code STATUS_STACK_BUFFER_OVERRUN (0xc0000409) refers to > > a stack buffer overflow while the error code STATUS_STACK_OVERFLOW > > (0xc00000fd) refers to stack exhaustion. > > > On Bugtraq this morning, there was a public post of a stack exhaustion bug > > that, fortunately, does not lead to arbitrary code execution. Let's take a > > closer look at it and a few other examples. We'll start with today's Bugtraq > > posting: > > > <INPUT type="text" name="A" value="CCCCCCCCCCCCCCCCCCCC(many thousands)"> > > > When IE attempts to parse this HTML, it runs out of stack space. Hooking up > > Windbg, you will observe the following first-chance exception: > > > (f9c.5b8): Stack overflow - code c00000fd (first chance) > > First chance exceptions are reported before any exception handling. > > This exception may be expected and handled. > > eax=00000000 ebx=0337304c ecx=09410040 edx=0007c3c0 esi=00000000 > > edi=0346b800 > > eip=77f66627 esp=03373000 ebp=03373000 iopl=0 nv up ei pl nz na pe > > nc > > cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 > > efl=00010206 > > 77f66627 56 push esi > > > The stack is simply exhausted and there is no possibility of running > > arbitrary code in this case. Let's look at a few others. > > > The next issue was also reported in IE recently: > > > <SCRIPT> > > foo = new Array(); > > while(true) {foo = new Array(foo).sort();} > > </SCRIPT> > > > Again, the HTML has requested an extra-ordinary amount of stack space. IE > > attempts to allocate space and it eventually runs out. Unable to process the > > HTML, it returns a stack overflow / exhaustion error (0xc00000fd). > > > One last example is from April 2008 and, again, it leads to a stack > > overflow/exhaustion error (0xc00000fd): > > > var str = "aaaaaaaaaaaaaaa(many thousands)" > > document.myform.text.value = str > > document.myform.submit() > > > <form name='myform'> > > <input name='text' type='text' /> > > <input name='Submit' type='submit' /> > > </form> > > > As you can see, there are several ways of reaching a stack exhaustion > > condition. Fortunately, these are stability issues that by themselves cannot > > lead to remote code execution. This happens when a parsing client-side > > application cannot allocate enough stack space to complete an operation (as > > shown in the examples here where a web page was attempting to allocate as > > much stack as possible and eventually runs out of space). > > > We are always happy to triage bugs sent to [email protected]. Please > > send them in to us. We are definitely committed to engineering and security > > excellence. We evaluate every report and determine whether to service them > > as security issues or whether to hand them off to the product team to fix as > > reliability and stability issues. For each security issues, we will triage > > against the SDL bug bar (link to sample bug > > bar<http://msdn.microsoft.com/en-us/library/cc307404.aspx>) and > > address via the MSRC security bulletin process. All issues (such as these > > stack exhaustion bugs) that are stability or reliability issues are triaged > > according to customer impact and addressed in future releases of the > > product. > > > - Jonathan Ness, SVRD blogger > > > *Posting is provided "AS IS" with no warranties, and confers no rights.* > > > References: > > > STATUS_STACK_OVERFLOW (0xc00000fd ): > > > - Debugging a Stack Overflow > > http://msdn.microsoft.com/en-us/library/cc267849.aspx > > - StackOverflowException Class > > http://msdn.microsoft.com/en-us/library/system.stackoverflowexception... > > > STATUS_STACK_BUFFER_OVERRUN (0xc0000409): > > > - Analyze Crashes to Find Security Vulnerabilities in Your Apps > > http://msdn.microsoft.com/en-us/magazine/cc163311.aspx
--~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [email protected] -~----------~----~----~----~------~----~------~--~---
