| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat Jan 14 11:26:48 2006 From: guninski at guninski.com (Georgi Guninski) Subject: Steve Gibson smokes crack? On Fri, Jan 13, 2006 at 05:55:17PM -0500, eric williams wrote: > however, the question is I gather flowing from the Gibson commentary, > how or what exactly causes WINE to execute the code pointed at by the > SetAbortProc record? Is it the "incorrect record length" is it some > other munged input, is it "by design" which has also been alluded to, > and seems to be your reference here. > http://www.grc.com/sn/SN-022.htm ---- So what I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code. ... It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn't trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one. ---- using invalid values to exploit a "design flaw" is "strange" at least. can someone comment if the claim about the length is true? -- where do you want bill gates to go today? EOM
Powered by blists - more mailing lists