lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Apr 2007 19:35:27 -0700
From: "George Ou" <george_ou@...architect.net>
To: "'Alexander Sotirov'" <asotirov@...ermina.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow

Ok thanks.  I guess we need to add "steal data" to the list of things an
exploited IE7 session in Vista can do.  I never got to test that far because
DEP nuked my browser session.


George

-----Original Message-----
From: Alexander Sotirov [mailto:asotirov@...ermina.com] 
Sent: Monday, April 02, 2007 7:14 PM
To: George Ou
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

George Ou wrote:
> The exploited instance of IE7 probably spawns cmd.exe with the same
> privilege levels as IE7 in Protected Mode, which means you don't have
> read/write access to the user or system files.  It's still bad because you
> probably get to harvest all of the saved username/passwords in the browser
> and capture all input/output from that IE session.
> 
> Now in the case of an exploited Firefox 2, you have full read/write
> permissions to all of the user files which means you get to steal all the
> user files and/or encrypt them for ransom.

Protected Mode only blocks write access. IE can write only to a few
locations on
the system, but it still has full read access to all files readable by the
user.

See
http://msdn.microsoft.com/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp
and slides 41-53 in
http://download.microsoft.com/download/0/1/3/01381C25-72DA-4AA9-B792-43E02A2
43C71/SEC403_Riley.ppt

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists