lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8B32EDC90D8F4E4AB40918883281874D274036@pivxwin2k1.secnet.pivx.com>
Date: Mon, 16 Feb 2004 12:27:13 -0800
From: <tlarholm@...x.com>
To: <ccarboni@...rty.com>, <bugtraq@...urityfocus.com>
Subject: RE: Exploit based on leaked code released.


I can verify that the attached Proof of Concept bitmap produced a DoS on
several IE versions, including

IE5.01 SP1 5.00.2614.3500 on Windows 2000 Pro SP2
IE5.01 SP1 5.00.2920.0000 on Windows 2000 Pro SP2
IE5.01 SP2 5.00.3315.1000 on Windows 2000 Pro SP2

The latter configuration is still supported by Microsoft and gave a blue
screen.

http://support.microsoft.com/default.aspx?scid=fh;%5Bln%5D;LifeWin

The Product Life Cycle Dates lists IE5.01SP2 on Windows 2000 SP2 as
being supported until June 30, 2004.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net> 

-----Original Message-----
From: Christopher Carboni [mailto:ccarboni@...rty.com] 
Sent: Monday, February 16, 2004 6:39 AM
To: bugtraq@...urityfocus.com
Subject: Exploit based on leaked code released.




>From securitytracker  
>http://www.securitytracker.com/alerts/2004/Feb/1009067.html

Microsoft Internet Explorer Integer Overflow in Processing Bitmap Files
Lets Remote Users Execute Arbitrary Code 
 
SecurityTracker Alert ID:  1009067  
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)  
Date:  Feb 15 2004 
 
Impact:  Execution of arbitrary code via network, User access via
network
 
Exploit Included:  Yes   
 
Version(s): 5 (6 is reportedly not vulnerable) 
 
Description:  A vulnerability was reported in Microsoft Internet
Explorer (IE) version 5. A remote user can execute arbitrary code on the
target system. 

It is reported that a remote user can create a specially crafted bitmap
file that, when loaded by IE, will trigger an integer overflow and
execute arbitrary code.

The author states that this flaw was found by reviewing the recently
leaked Microsoft Windows source code. The flaw reportedly resides in
'win2k/private/inet/mshtml/src/site/download/imgbmp.cxx'.

The report indicates that IE 5 is affected but that IE 6 is not
affected.

A demonstration exploit is provided in the Source Message [it is Base64
encoded]. 
 
Impact:  A remote user can cause arbitrary code to be executed on the
target user's computer when the target user's browser loads a specially
crafted bitmap file. The code will run with the privileges of the target
user.
 
Solution:  No solution was available at the time of this entry.
 
Vendor URL:  www.microsoft.com/technet/security/ (Links to External
Site) 
 
Cause:  Boundary error 
 
Underlying OS:  Windows (Any)
 
Reported By:  <gta@...h.com>
 
Message History:   None. 
 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ