lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <12E557CB77632E4B8ECFD605C518C12B3DA318@dm-mail.dm.local>
Date: Fri, 17 Sep 2004 09:53:12 +0100
From: "Cassidy Macfarlane" <cmacfarlane@...mmond-Miller.co.uk>
To: "GulfTech Security" <security@...ftech.org>,
	<bugtraq@...urityfocus.com>
Subject: RE: JPEG Processing BOF Proof Of Concept


That was me.  Nearly two years ago to the week :)

http://www.securityfocus.com/archive/82/290856

/snip
-----Original Message-----
From: cassidy macfarlane
Sent: Friday, September 06, 2002 7:57 AM
To: vuln-dev securityfocus com
Subject: old netscape vuln - affecting XP/explorer?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Hi
I posted this to bugtraq, but was advised to post here..

I d/loaded the old 'crash-netscape.jpg' from secfocus (id 1503,
http://online.securityfocus.com/data/vulnerabilities/exploits/crash-nets
cape.jpg )
Sorry if it wraps

intending to have a play with Mozilla ;).  I stuck it into my cygwin
dir on my local HD.

When I browse to this folder using explorer (***Tiles view***), 
I get an explorer restart. (all open explorer windows close, but apps
persist)

/snip
Faulting application explorer.exe, version 6.0.2600.0, faulting
module ntdll.dll, version 5.1.2600.0, fault address 0x00003812.

0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 65 78 70   ure  exp
0018: 6c 6f 72 65 72 2e 65 78   lorer.ex
0020: 65 20 36 2e 30 2e 32 36   e 6.0.26
0028: 30 30 2e 30 20 69 6e 20   00.0 in 
0030: 6e 74 64 6c 6c 2e 64 6c   ntdll.dl
0038: 6c 20 35 2e 31 2e 32 36   l 5.1.26
0040: 30 30 2e 30 20 61 74 20   00.0 at 
0048: 6f 66 66 73 65 74 20 30   offset 0
0050: 30 30 30 33 38 31 32 0d   0003812.
0058: 0a                        .       

/end snip

I'm running XP Pro, all hotfixes (apart from todays....MS02-049 and
MS02-050...yawn)

Does anyone else get the same?  
Is this exploitable? - I get the same address (0x0003812) every
time...is this adjustable with the header/etc in the dodgy .jpg?

TIA, and apologies if this is known or a misconfiguration.


Cassidy Macfarlane
Group IT
www.tenongroup.com

PGP fingerprint: 31A2 1A52 6CB9 E91C 27D8  9C5C FC40 4FD7 5E96 E1A4


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPXiXUvxAT9deluGkEQIuewCgzZPslfiGX/EbwH3SEPXw2k5MHxsAoIMv
WyrI7Lv3qUtHxGtfbboxOkJB
=sXVg
-----END PGP SIGNATURE-----

/end snip

-----Original Message-----
From: GulfTech Security [mailto:security@...ftech.org] 
Sent: 16 September 2004 18:53
To: bugtraq@...urityfocus.com
Subject: JPEG Processing BOF Proof Of Concept


About a year ago I came across this same issue. I came across it while
messing with Solar Designer's old Netscape JPEG bug. So, in short the
same
issue applies to WinXP it seems. I showed the bug to a few people (even
contacted Microsoft, but got no reply), but neither them nor myself ever
got
around to figuring it out. Nick DeBaggis and eEye did a good job of
figuring
this very dangerous issue out :)

Anyway, the point to this post is to release the POC I just put together
using the findings that I have been sitting on for quite some time. As I
said before, I never fully understood exactly what was going on, so this
POC
doesn't execute code or anything, but it will crash any WindowsXP
machine
that has not been patched from this flaw.

If you cannot access the attached file, you may download the POC here

http://www.gulftech.org/?node=downloads

BTW: There was a BugTraq (or some other sec mailing list) post from over
a
year ago that talks about the Netscape JPEG issue crashing the WindowsXP
Shell. I remember seeing them when I first started looking into this
issue,
but do not have links right off hand. Maybe someone else reading this
does?


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ