lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 8 Apr 2007 15:43:18 -0400
From: wac <waldoalvarez00@...il.com>
To: "Michal Majchrowicz" <m.majchrowicz@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow

Hello:

Firefox 2.0.0.3 (at least in windows) *seems to be vulnerable*. I don't
remember exactly what it did but it behaved in a strange way I believe some
file handle was left open and had to kill it the hard way. I don't know what
they say in the docs but if it ends up calling the user32 function and
that's all it takes to trigger the bug. I was taking a peek at it's import
tables and It imports from User32 the function LoadCursorA maybe that could
be the guilty one.

anyway test here and see what happens (that link is from dev code)

http://sicotik.com/ink/test.html

I'm not vulnerable anymore since quite some time ;) and I don't have much
time to test right now

Regards
Waldo

On 4/8/07, Michal Majchrowicz <m.majchrowicz@...il.com> wrote:
>
> Hi.
> There are more and more reports about FF and ani vulnerability.
> There was already a presentation of working exploit.
> The thing starts to annoy me and since I am far away from any windows
> I wanted to share some of my speculations.
> According to docs two things are obvious:
> 1) Firefox doesn't support ANI cursors
> 2) ANI is just few cur cursors packed together and presented as an
> animation.
> So i have three possible ways of exploiting it:
> 1) Since ANI files are vulnerable then maybe cur files are also
> vulnerable. Firefox does support CUR files.
> 2) If firefox doesn't support ANI files it only means it doesn't
> render them. It doesn't mean it will not acept them in any way:)
> 3) Maybe it is possible to rename foo.ani and rename it to foo.cur.
> Then FF will call win api with this cursor. Windows API will recognize
> this as ANI file and call vulnerable function .
> As I said before these are just speculation. I hope someone will be
> able to confirm or prove that some of them (or all) have no sense.
> Happy Easter to everyone.
> Regards Michal.
>
> On 4/4/07, Peter Ferrie <pferrie@...antec.com> wrote:
> > >That's correct, Firefox doesn't support ANI files for cursors.
> >
> > Right, and it doesn't need to, because cursors are not the only way to
> reach the vulnerable code.
> > Icons can do it, too.
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ