| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat Jan 14 12:56:18 2006 From: fd at blad3.ro (blad3) Subject: Steve Gibson smokes crack? Hello Georgi, Saturday, January 14, 2006, 1:26:36 PM, you wrote: > On Fri, Jan 13, 2006 at 05:55:17PM -0500, eric williams wrote: >> however, the question is I gather flowing from the Gibson commentary, >> how or what exactly causes WINE to execute the code pointed at by the >> SetAbortProc record? Is it the "incorrect record length" is it some >> other munged input, is it "by design" which has also been alluded to, >> and seems to be your reference here. >> > http://www.grc.com/sn/SN-022.htm > ---- > So what I found was that, when I deliberately lied about the size of this > record and set the size to one and no other value, and I gave this particular > byte sequence that makes no sense for a metafile, then Windows created a > thread and jumped into my code, began executing my code. > ... > It turns out that the only way to get Windows to misbehave in this bizarre > fashion is to set the length to one, which is an impossible value. I tried > setting it to zero. It didn't trigger the exploit. I tried setting it to two, > no effect. Three, no effect. Nothing, not even the correct length. Only one. The claim about the length is not true. http://it.slashdot.org/comments.pl?sid=173878&cid=14466008 Btw, somebody else in this thread already proved that. > using invalid values to exploit a "design flaw" is "strange" at least. > can someone comment if the claim about the length is true? -- Best regards, blad3 mailto:fd@...d3.ro
Powered by blists - more mailing lists