[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0603162307290.5180@dione>
Date: Thu, 16 Mar 2006 23:12:56 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: Master Phoxpherus <phoxpherus@...mail.co.uk>
Cc: bugtraq@...urityfocus.com
Subject: Re: Remote overflow in MSIE script action handlers (mshtml.dll)
On Thu, 16 Mar 2006, Master Phoxpherus wrote:
> Hmm. I'm running a Windows 98 SE box and just tried what you said.
> Didn't effect me "instantly" or after a time period. You sure you're not
> just seeing shit? :P
Yes, and a number of people have confirmed this problem thus far
(including the author of the initial reply to my post). I did not test it
on Windows 98, however, and I cannot (nor want to) comment on its memory
management antics.
> Plus, keeping it real, there's a fair difference between a BoF that you
> can perform easily remotely, and a BoF you have to talk people into.
> "Hey, dude... can you just type <command> and if it don't work, hit
> refresh a few times?" ... can you see it?
Yes, I can. The instructions I provided are *not* a prerequisite to
overwrite memory. They're merely a recommendation to make the PoC reliably
crash your browser, should you want to confirm the problem independently
without much research.
I have all reasons to believe that this problem *is* exploitable without
having to talk anyone into it - having mshtml.dll render a specially
crafted webpage or a sequence of meta-refresh webpages is very much
sufficient.
/mz
Powered by blists - more mailing lists