lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041023001154.F23256@dekadens.coredump.cx>
Date: Sat, 23 Oct 2004 01:28:37 +0200 (CEST)
From: Michal Zalewski <lcamtuf@...ttot.org>
To: bugtraq@...urityfocus.com, full-disclosure@...sys.com,
   vulnwatch@...nwatch.org
Subject: Update: Web browsers - a mini-farce (MSIE gives in)


Firstly, a brief update on the status of reported sample vulnerabilities:

  - mozilla_die1.html: confirmed, fixed in snapshots (DoS most of the time)
  - mozilla_die2.html: confirmed, being worked on (likely exploitable)
  - opera_die1.html: confirmed, being worked on (likely exploitable)
  - lynx_die1.html: confirmed, independent fixes from OpenBSD team (DoS)
  - links_die1.html: no official confirmation, no data (DoS)

I have no data on whether any of the vendors bothered to run my scripts to
find any further problems that are bound to surface.

I have also received reports of crashes caused by mangeme.cgi with the
following browsers:

  - Safari / Konqueror (KHTML engine)
  - elvis
  - elinks (links engine)
  - w3m

Last but not least, MSIE gives in:

>   Only MSIE appears to be able to consistently handle [*] malformed
>   input well, suggesting this is the only program that underwent
>   rudimentary security QA testing with a similar fuzz utility.

To all those who considered my original post to be a great propaganda
ammunition for praising MSIE, bad news - although it did take a longer
while for it to give up - three hours - (impressive by comparison to
competitors), it eventually did:

  http://lcamtuf.coredump.cx/mangleme/gallery/ie_die1.html

Tested on 6.0.2800.1106, dies in mshtml.dll. This is a NULL pointer
dereference, so merely a DoS condition, but still an evident flaw in
basic HTML parsing.

******************************************************************
* This means that VIRTUALLY EVERY BROWSER IN USE TODAY is unable *
* to securely render HTML. Keeping in mind that not only web     *
* browsing, but also integrated e-mail is at risk, it is a grim  *
* thought.                                                       *
******************************************************************

Because I did not ask CERT or NIPC for patronage, did not get 20 CVE
numbers for each variant of each of the issues, nor do I have a
black-on-white webpage with stock graphics, this will likely not generate
any media splash, but I for one consider my findings to be far more
chilling that a wave of tabbed browsing URL spoofing flaws and similar
recent browser issues.

For those interested in doing some of my homework, I've updated the tool,
incorporating several minor changes to its semantics to make it somewhat
more powerful: download http://lcamtuf.coredump.cx/soft/mangleme.tgz for
version 1.2.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-10-23 00:11 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ