lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <b879818c0701031006l4cc88986v22fbcfd8756c4ff2@mail.gmail.com>
Date: Wed, 3 Jan 2007 19:06:08 +0100
From: "chinese soup" <noodle.mastah@...il.com>
To: bugtraq@...urityfocus.com
Cc: sapheal@...k.pl, 3APA3A <3APA3A@...urity.nnov.ru>
Subject: Re: Windows NT Message Compiler 1.00.5239 arbitrary code execution

*/me joining the bandwagon because... well, because it's fun and i'm an a-hole*

*clears throat*

Dear sapheal,

"Unhandled exception at 0x01003468 in MC.EXE: 0xC0000005:
shp> Access violation reading location 0x41414141."

Unfortunately, every access violation you get does NOT mean it is
exploitable and "critical security vulnerability ". This one just says
"Access violation reading location...".

Now you have to ask yourself:
"How do I gain control of this program?"
"Can I do it via this Access violation error?"
"How can I use this to own my girlfriend's box so I can check her email?"
"Do I look uber-cool by having the words "critical", "vulnerability"
and "Windows" in one message?" <-- not if you have the words "might",
"be" and "possible" with no supporting facts.

3APA3A said it best, "In  order  to call some bug "critical security
vulnerability", you must show critical security impact from this
vulnerability."

just-joing-in-the-fun-even-though-not-everyone-appreciates-it,

"Tao of Noodle Making: sweat means no need for salt"

On 1/3/07, 3APA3A <3APA3A@...urity.nnov.ru> wrote:
> Dear sapheal@...k.pl and all,
>
>  In  order  to call some bug "critical security vulnerability", you must
>  show critical security impact from this vulnerability.
>
>  For   local   vulnerability   security   impact  is  usually  privilege
>  escalation.  That  is, local unprivileged user should be able to obtain
>  privileges of another user or system account by exploiting this bug.
>
>  Under  Unix,  local  vulnerabilities are usually because of the bugs in
>  some  suid application. Under Windows there is no suid applications. To
>  escalate  privileges  you  must  exploit  vulnerability  in some system
>  component  or  service.  mc.exe  is  not  service  and  is  not  system
>  component.
>
>  I  can't  say  there  is no security impact from this bug at all. As an
>  example,  you can execute malware code in context of signed application
>  and  bypass  some  policy.  But  it's definitely not "critical security
>  vulnerability".
>
>  Sorry for this short lecture.
>
>
> --Tuesday, January 2, 2007, 10:06:30 PM, you wrote to bugtraq@...urityfocus.com:
>
> shp> Synopsis: Windows NT Message Compiler 1.00.5239 arbitrary code execution
> shp> Product:   Microsoft Windows XP
>
>
>
> shp> Issue:
> shp> ======
>
> shp> A critical security vulnerability has been found in Windows NT Message Compiler.
> shp> Arbitrary code execution might be possible (local exploitation possible only).
>
>
> shp> Details:
> shp> ========
> shp> MC (Windows NT Message Compiler) when provided a MC-filename longer than
> shp> requested crashed due to memory corruption. Memory corruption conditions
> shp> might allow the attacker to escalate privilleges.
>
> shp> When overwriting the buffer with "A" (0x41):
>
> shp> Unhandled exception at 0x01003468 in MC.EXE: 0xC0000005:
> shp> Access violation reading location 0x41414141.
> shp> First-chance exception at 0x01003468 in MC.EXE: 0xC0000005:
> shp> Access violation reading location 0x41414141.
>
>
> shp> Affected Versions
> shp> =================
> shp> Microsoft (R) Message Compiler Version 1.00.5239
>
>
> shp> Solution
> shp> =========
>
> shp> Proper bounds-checking.
>
>
> shp> Kind regards,
>
> shp> Michal Bucko (sapheal)
> shp> hack.pl
>
>
>
>
>
>
>
> --
> ~/ZARAZA
> http://www.security.nnov.ru/
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ