| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Mar 2006 11:07:33 -0000 From: <c0redump@...ers.org.uk> To: <bugtraq@...urityfocus.com> Subject: Re: Remote overflow in MSIE script action handlers (mshtml.dll) Just to add to this again before we get sick of going on about it. Some people have been reporting different things, namely that you must only have one IE window open so that the other buffers cannot "absorb" the attack. However, Test 1: No IE windows open, clicked on exploit link, launches IE - sometimes just closes with no error, sometimes " The instruction at '0x7d525dcd' referenced memory at '0x00009506'. The memory could not be 'read' " came up. Test 2: One IE window open already, opened up second one on exploit link - only second window died. Same with two windows open already, three and so on; just the actual IE window that is rendering the mshtml.dll exploit dies. Obviously it's not sharing memory between the different instances of IE. As I said before, Win XP SP2, all the lovely patches. (IE 6.0.2900.2180.xpsp_sp2_gdr.050301-1519) c0redump #hacktech @ undernet ----- Original Message ----- From: Master Phoxpherus To: lcamtuf@...ne.ids.pl Cc: bugtraq@...urityfocus.com Sent: Thursday, March 16, 2006 10:05 PM Subject: Re: Remote overflow in MSIE script action handlers (mshtml.dll) Hmm. I'm running a Windows 98 SE box and just tried what you said. Didn't effect me "instantly" or after a time period. You sure you're not just seeing shit? :P Plus, keeping it real, there's a fair difference between a BoF that you can perform easily remotely, and a BoF you have to talk people into. "Hey, dude... can you just type <command> and if it don't work, hit refresh a few times?" ... can you see it? >On Thu, 16 Mar 2006, Daniel Bonekeeper wrote: > > > BTW, tested the POC on MSIE (File Version = 6.00.2900.2180 > > (xpsp_sp2_rtm.040803-2158)) with mshtml.dll (6.00.2900.2802 > > (xpsp_sp2_gdr.051123-1230)) and it didn't worked. > >Daniel followed up with me in private and confirmed that the PoC *did* >work for him when he followed certain additional instructions: because the >attack depends on memory layout and usage, to get consistent results, be >sure to close *all* MSIE windows, then go to Start -> Run... and type: > > iexplore http://lcamtuf.coredump.cx/iedie.html > >That should crash the browser immediately, because there are no other >buffers nearby to "absorb" the initial fencepost. Still, if no dice, try >hitting 'Reload' a couple of times. > >/mz _________________________________________________________________ Are you using the latest version of MSN Messenger? Download MSN Messenger 7.5 today! http://messenger.msn.co.uk
Powered by blists - more mailing lists