lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ef867e560603181519w3735e4a6w@mail.gmail.com>
Date: Sat, 18 Mar 2006 19:19:27 -0400
From: "Manuel Moreno Leiva" <morenoleiva@...il.com>
To: "Michal Zalewski" <lcamtuf@...ne.ids.pl>
Cc: full-disclosure@...ts.grok.org.uk, vulnwatch@...nwatch.org,
	bugtraq@...urityfocus.com
Subject: Re: Remote overflow in MSIE script action
	handlers (mshtml.dll)


great exploit.. works fine in my workstation
i have WinXp Sp2 IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
you have a exploit usable for this?

Best Regards

Manuel Moreno
AsesoriaPC
Stgo,Chile

2006/3/16, Michal Zalewski <lcamtuf@...ne.ids.pl>:
> Good morning,
>
> This might not come as a surprise, but there appears to be a *very*
> interesting and apparently very much exploitable overflow in Microsoft
> Internet Explorer (mshtml.dll).
>
> This vulnerability can be triggered by specifying more than a couple
> thousand script action handlers (such as onLoad, onMouseMove, etc) for any
> single HTML tag. Due to a programming error, MSIE will then attempt to
> write memory array out of bounds, at an offset corresponding to the ID of
> the script action handler multiplied by 4 (due to 32-bit address clipping,
> the result is a small positive integer).
>
> The list of IDs can be found on the Web, and is as follows (values in
> parentheses = resulting offsets):
>
>  onhelp = 0x8001177d (+0x45df4)
>  onclick = 0x80011778 (+0x45de0)
>  ondblclick = 0x80011779 (+0x45de4)
>  onkeyup = 0x80011776 (+0x45dd8)
>  onkeydown = 0x80011775 (+0x45dd4)
>  onkeypress = 0x80011777 (+0x45ddc)
>  onmouseup = 0x80011773 (+0x45dcc)
>  onmousedown = 0x80011772 (+0x45dc8)
>  onmousemove = 0x80011774 (+0x45dd0)
>  onmouseout = 0x80011771 (+0x45dc4)
>  onmouseover = 0x80011770 (+0x45dc0)
>  onreadystatechange = 0x80011789 (+0x45e24)
>  onafterupdate = 0x80011786 (+0x45e18)
>  onrowexit = 0x80011782 (+0x45e08)
>  onrowenter = 0x80011783 (+0x45e0c)
>  ondragstart = 0x80011793 (+0x45e4c)
>  onselectstart = 0x80011795 (+0x45e54)
>
> What happens next depends on the structure of the page in which the
> malicious tag is embedded, as well as previously visited page and
> previously initialized extensions (all these factors can be controlled by
> the attacker).
>
> When the offending page contains no additional elements, and the user is
> not redirected from elsewhere, the browser will typically crash
> immediately, because there is no allocated memory at the resulting offset.
> In all other cases, crashes will typically occur later, due to attempted
> use of unrelated but corrupted in-memory buffers -for example, when the
> user attempts to leave or reload the page. Another good example is coming
> from a page that contains Macromedia Flash - this usually causes the Flash
> plugin itself to choke on corrupted memory on cleanup.
>
> For non-believers, there's a short but fiery demonstration page available
> at http://lcamtuf.coredump.cx/iedie.html (yes, it will probably crash your
> browser).
>
> Tested on MSIE 6.0.2900.2180.xpsp2.040806-1825 on Windows XP SP2. As far
> as I can tell, other browser makes (Firefox, Opera) are not susceptible to
> this attack.
>
> I eagerly await due reprimend from Microsoft for not disclosing this
> vulnerability in a manner that benefits them most, not passing start, not
> collecting $200 (from iDefense?).
>
> Regards,
> /mz
> http://lcamtuf.coredump.cx/silence/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ