lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8B32EDC90D8F4E4AB40918883281874D523E12@pivxwin2k1.secnet.pivx.com>
Date: Tue, 15 Jun 2004 10:02:28 -0700
From: "Thor Larholm" <thor@...x.com>
To: "Berend-Jan Wever" <SkyLined@...p.tudelft.nl>,
   <full-disclosure@...ts.netsys.com>, <vulnwatch@...nwatch.org>
Cc: <bugtraq@...urityfocus.com>, <ntbugtraq@...tserv.ntbugtraq.com>
Subject: RE: Internet Explorer Remote Null Pointer Crash(mshtml.dll)


Manually right-clicking and selecting "Save target as" invokes the
download functionality. This can also be automatically triggered by
redirecting with a META tag to a server script that sets Content-Type
and Content-Disposition headers to an unknown MIME-type which causes the
"Open/Save As" dialog box to be triggered during which time IE
automatically tries to initiate the download and create the appropriate
files in the TIF (Temporary Internet Files), just like the "Save target
as" functionality does.

IE automatically initiates the download of any file with an unknown
MIME-type and starts storing this file in the TIF, before the user has
selected whether to Open, Save or Cancel the download. If the user
cancels, the file is deleted. This has already been used to plant
arbitrary files in predictable locations and leads to a race condition
where you can cross the security zone boundaries using other
vulnerabilities in the timeframe between the download is forcefully
initiated to the time where the user cancels the download. 


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>

-----Original Message-----
From: Berend-Jan Wever [mailto:SkyLined@...p.tudelft.nl] 
Sent: Monday, June 14, 2004 6:34 PM
To: full-disclosure@...ts.netsys.com; vulnwatch@...nwatch.org
Subject: Re: [Full-Disclosure] Internet Explorer Remote Null Pointer
Crash(mshtml.dll)


Doesn't look like a null pointer to me, especially since it crashes
while reading 800c0005... I think it's a format string vulnerability,
causing ntdll.RtlFormatMessage to call ntdll._snwprintf with your href.
Might be exploitable, I'll have a look...

Cheers,
SkyLined
----- Original Message ----- 
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: "vulnwatch" <vulnwatch@...nwatch.org>
Sent: Monday, June 14, 2004 23:20
Subject: [Full-Disclosure] Internet Explorer Remote Null Pointer
Crash(mshtml.dll)


> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> Application:      Internet Explorer
> Vendors:           http://www.microsoft.com
> Versions:          6.0.2800.1106.xpclnt_qfe.021108-2107
> Patched With:  SP1;Q832894;Q330994;Q837009;Q831167;
> ModName:       mshtml.dll
> ModVer:           6.0.2734.1600
> Platforms:        Windows
> Bug:                  Remote/Local Null Pointer Crash
> Exploitation:    Remote with browser
> Date:                14 Jun 2004
> Author:             Rafel Ivgi, The-Insider
> e-mail:              the_insider@...l.com
> web:                 http://theinsider.deep-ice.com
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> 1) Introduction
> 2) Bugs
> 3) The Code
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> ===============
> 1) Introduction
> ===============
>
> Internet Explorer is currently the most common internet browser in the

> world. It comes by default with every windows operating system. 
> Therefore any vulnerability
> concerning it is an highly important issue.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> ======
> 2) Bug
> ======
>
> Upon clicking "Save As" on a link with double colon --> "::" and
> a left curly bracket --> "{"
> then
> Internet Explorer Will Crash.
>
> AppName: iexplore.exe  AppVer: 6.0.2600.0  ModName: ntdll.dll
> ModVer: 5.1.2600.114  Offset: 00056074
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> ===========
> 3) The Code
> ===========
>
> Paste into an htm/html file:
> <center><a href=::%7b>Right  Click aOn Me And Click "Save Target 
> As"</a>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> ---
> Rafel Ivgi, The-Insider
> http://theinsider.deep-ice.com
>
> "Scripts and Codes will make me D.O.S , but they will never HACK me."
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ