lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <43bb0458.6a403aa8.278b.ffffbe43@mx.gmail.com>
Date: Tue, 3 Jan 2006 18:10:16 -0500
From: "Paul" <pvnick@...il.com>
To: "'InfoSecBOFH'" <infosecbofh@...il.com>,
	"'Stan Bubrouski'" <stan.bubrouski@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: RE: Buffer Overflow vulnerability in WindowsDisplay
	Manager [Suspected]


I can repro this on Windows XP Pro with IE7. However, it does not appear to
be exploitable. Internet explorer terminates after attempting to execute the
following statement:

034ED914   8C82 60770100    MOV WORD PTR DS:[EDX+17760],ES
EDX=0

So it's a null pointer bug.

Regards,
Paul
Greyhats Security 
 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of InfoSecBOFH
Sent: Monday, January 02, 2006 1:54 PM
To: Stan Bubrouski
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
WindowsDisplay Manager [Suspected]

Crash dump would be nice too.

I have seen this once before but had issues replicating it with other
display drivers.

On 1/2/06, Stan Bubrouski <stan.bubrouski@...il.com> wrote:
> Well if you look at the fact there is no title on titlebar and the
> fact the active tab is Untitled, I'd hazard to guess its something he
> manually entered into the address bar, and so we don't even know if
> this is exploitable by clicking a link or whatnot.
>
> Not exactly sure why this was posted if no details are provided.
> Anything else for us Sumit?
>
> -sb
>
> On 1/2/06, Lise Moorveld <lise_moorveld@...oo.com> wrote:
> > Dear Sumit,
> >
> > Could you tell me how you exploited this buffer
> > overflow issue in Firefox so I can try and reproduce
> > it? I notice a lot of A's in your address bar but I'm
> > not sure whether that's it and if so, how many A's are
> > used.
> >
> > Regards,
> >
> > Lise
> >
> > --- Sumit Siddharth <sumit.siddharth@...il.com> wrote:
> >
> > > Hi,
> > > The Windows display manager crashes when a BOF is
> > > attempted on a mozilla
> > > firefox.
> > > This has different results on different windows
> > > machine.
> > > In Windows XP only the display manager crashes ,
> > > whereas on a Windows 2000
> > > server the BSOD(Blue screen of death )appears and
> > > the system hangs.
> > > I am using Firefox 1.0.6. I think that the bug is in
> > > the display driver and
> > > not with firefox. Kindly find a screen shot attached
> > > with this email.
> > >
> > > Thanks
> > > Sumit
> > >
> > >
> > > --
> > >
> > > Sumit Siddharth
> > > Information Security Analyst
> > > NII Consulting
> > > Web: www.nii.co.in
> > > ------------------------------------
> > > NII Security Advisories
> > > http://www.nii.co.in/resources/advisories.html
> > > ------------------------------------
> > > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > >
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia -
> > http://secunia.com/
> >
> >
> >
> >
> > __________________________________________
> > Yahoo! DSL – Something to write home about.
> > Just $16.99/mo. or less.
> > dsl.yahoo.com
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.9/217 - Release Date: 12/30/2005
 
  

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.11/219 - Release Date: 1/2/2006
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ