lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
This website is powered by Openwall GNU/*/Linux security-enhanced OS
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon, 02 Apr 2007 01:49:42 -0700
From: Alexander Sotirov <asotirov@...ermina.com>
To: Larry Seltzer <Larry@...ryseltzer.com>
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow

Larry Seltzer wrote:
> Perhaps your exploit proves this wrong, but it's the last I heard on the
> subject. And even if there are only 256 slots how do you try more than
> one? Isn't the first wrong one going to crash the browser?

Read our advisory:
http://www.determina.com/security.research/vulnerabilities/ani-header.html

It explains that the vulnerable code is wrapped in an exception handler that
recovers from access violations. That means that you can trigger the exploit
multiple times and try different addresses, increasing the chance of hitting the
right one (you only need 128 tries on average)

A much simpler solution is to use heap spraying (which works fine on Vista) for
systems that don't have DEP enabled.

> As for the exploits in protected mode I'm sure there are things you can
> do, but it's a huge step down from what you can do in XP and it's gone
> as soon as you exit IE7

Unless somebody has a Vista exploit for the CSRSS kernel bug :-) In general I
agree that protected mode presents additional constraints on exploitation, but I
would reserve judgment until we've seen a few more exploits and more public
research.

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux