lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 Mar 2006 23:12:56 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: Master Phoxpherus <phoxpherus@...mail.co.uk>
Cc: bugtraq@...urityfocus.com
Subject: Re: Remote overflow in MSIE script action handlers (mshtml.dll)


On Thu, 16 Mar 2006, Master Phoxpherus wrote:

> Hmm. I'm running a Windows 98 SE box and just tried what you said.
> Didn't effect me "instantly" or after a time period. You sure you're not
> just seeing shit? :P

Yes, and a number of people have confirmed this problem thus far
(including the author of the initial reply to my post). I did not test it
on Windows 98, however, and I cannot (nor want to) comment on its memory
management antics.

> Plus, keeping it real, there's a fair difference between a BoF that you
> can perform easily remotely, and a BoF you have to talk people into.
> "Hey, dude... can you just type <command> and if it don't work, hit
> refresh a few times?" ... can you see it?

Yes, I can. The instructions I provided are *not* a prerequisite to
overwrite memory. They're merely a recommendation to make the PoC reliably
crash your browser, should you want to confirm the problem independently
without much research.

I have all reasons to believe that this problem *is* exploitable without
having to talk anyone into it - having mshtml.dll render a specially
crafted webpage or a sequence of meta-refresh webpages is very much
sufficient.

/mz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ