lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <LPBBLDGNEFOGMGAEHJPBKENBDHAA.security@greymagic.com>
Date: Wed, 8 Oct 2003 18:46:54 +0200
From: "GreyMagic Software" <security@...ymagic.com>
To: "Bugtraq" <bugtraq@...urityfocus.com>,
	"Mindwarper *" <mindwarper@...uxmail.org>
Subject: RE: IE 6 XML Patch Bypass


>seems that even with the new Microsoft patch applied, the
>vulnerability works.

There is no reason for it not to work. MS03-040 doesn't claim to offer a
patch for ADODB.Stream or "file:javascript" vulnerabilities. It offers a
patch to the variation of the application/hta content-type header in object
elements, publicly disclosed by http-equiv.

This could have been easily determined by reading the bulletin properly.

>I have recently been playing around with the xml+windows media
>player exploit

This is NOT a vulnerability in WMP or MSXML, they are simply used as tools
in this attack.

MSXML is used here to create and pass along a SAFEARRAY and WMP is used to
run an executable once its protocol handler has been replaced by the real
vulnerability used here. That vulnerability is Jelmer's ADODB.Stream
vulnerability, which happens to be utilized via Liu's "file:javascript"
vulnerability, in conjunction with another vulnerability to allow a "res://"
URL to open (also by Jelmer).



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ