lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: jkuperus at planet.nl (jelmer)
Subject: RE:Internet explorer 6 on windows XP allows
 exection of arbitrary code ( and opera and Mozilla too)

serious ? these if I understand correctly merely crash your browser nothing
perticularly serious about that.

Granted no browser will be without flaws so there is  probably heaps of
stuff to be found in mozilla aswell, but remote code execution??
I dont believe there has been a single flaw in netscape or mozilla that
allowed you to execute code simply by putting together some javascript
(you can correct me on this) even when it was the dominant browser and
legendary guys like george guninski roamed the streets.
Sure it will probably have stuff like overflows, nearly everything does

but particularly ActiveX is just utterly insane and makes you want to bang
your head against a brick wall screaming what the hell where they thinking


----- Original Message ----- 
From: "meme-boi" <meme-boi@...hotmail.org>
To: <full-disclosure@...ts.netsys.com>
Sent: Friday, September 12, 2003 2:33 AM
Subject: [Full-Disclosure] RE:Internet explorer 6 on windows XP allows
exection of arbitrary code ( and opera and Mozilla too)


> >WORKAROUND :
>
> >Disable active scripting or do "the sensible thing" and pick another
> >>browser such as the>excellent mozilla firebird.
>
> Mozilla ...
>
> <script language="Javascript">
> t = new Packages.sun.plugin.javascript.navig5.JSObject(1,1);
> </script>
>
>
>
> hmmm
>
> or
>
> http://drorshalev.brinkster.net/dev/memeboi/werd.html
>
> Both serious issues mozilla has yet to fix.
>
>
> Or we can look at Opera and conclude that no graphical browser is safe:
>
>
> /usr/bin/opera: line 138:  1289 Segmentation fault
> "${BINARYDIR}/opera" "${@}"
> "${BINARYDIR}/opera" "${@}"
> (gdb) /opt/opera/lib/opera/plugins/operamotifwrapper: error while loading
> shared libraries: libXm.so.2: cannot open shared object file: No such file
> or directory
> (gdb) backtrace
> #0  0x21ad4397 in waitpid () from /lib/libc.so.6
> #1  0x080777f6 in kill_pid ()
> #2  0x080767a3 in wait_for ()
> #3  0x080687c6 in execute_command_internal ()
> #4  0x0806c0a7 in execute_command ()
> #5  0x0805d48c in reader_loop ()   <---murder loop
> #6  0x0805b8a0 in main ()
> #7  0x21a407a6 in __libc_start_main () from /lib/libc.so.6 <--redrum lib
> (gdb) info reg
> eax            0xfffffe00       -512
> ecx            0x5da26398       1570923416
> edx            0x0      0
> ebx            0xffffffff       -1
> esp            0x5da2635c       0x5da2635c
> ebp            0x5da26378       0x5da26378
> esi            0x0      0
> edi            0xffffffff       -1
> eip            0x21ad4397       0x21ad4397
> eflags         0x246    582
> cs             0x23     35
> ss             0x2b     43
> ds             0x2b     43
> es             0x2b     43
> fs             0x0      0
> gs             0x0      0
> fctrl          0x37f    895
> fstat          0x0      0
> ftag           0xffff   65535
> fiseg          0x0      0
> fioff          0x0      0
> foseg          0x0      0
> fooff          0x0      0
> fop            0x0      0
> mxcsr          0x0      0
> orig_eax       0x72     114
>
> (gdb) disass $eip-0x20 $eip+0x20
> Dump of assembler code from 0x21ad4377 to 0x21ad43b7:
> 0x21ad4377 <waitpid+23>:        mov    $0x7,%dh
> 0x21ad4379 <waitpid+25>:        add    %cl,0x2b88b3(%ebx)
> 0x21ad437f <waitpid+31>:        add    %cl,0xf685087d(%ebx)
> 0x21ad4385 <waitpid+37>:        jne    0x21ad43be <waitpid+94>
> 0x21ad4387 <waitpid+39>:        mov    0xc(%ebp),%ecx
> 0x21ad438a <waitpid+42>:        mov    0x10(%ebp),%edx
> 0x21ad438d <waitpid+45>:        push   %ebx
> 0x21ad438e <waitpid+46>:        mov    %edi,%ebx
> 0x21ad4390 <waitpid+48>:        mov    $0x72,%eax
> 0x21ad4395 <waitpid+53>:        int    $0x80
> 0x21ad4397 <waitpid+55>:        pop    %ebx
> 0x21ad4398 <waitpid+56>:        cmp    $0xfffff000,%eax
> 0x21ad439d <waitpid+61>:        mov    %eax,%esi
> 0x21ad439f <waitpid+63>:        ja     0x21ad43ae <waitpid+78>
> 0x21ad43a1 <waitpid+65>:        mov    %esi,%eax
> 0x21ad43a3 <waitpid+67>:        mov    0xfffffff4(%ebp),%ebx
> 0x21ad43a6 <waitpid+70>:        mov    0xfffffff8(%ebp),%esi
> 0x21ad43a9 <waitpid+73>:        mov    0xfffffffc(%ebp),%edi
> 0x21ad43ac <waitpid+76>:        leave
> 0x21ad43ad <waitpid+77>:        ret
> 0x21ad43ae <waitpid+78>:        neg    %esi
> 0x21ad43b0 <waitpid+80>:        call   0x21a40980 <__errno_location>
> 0x21ad43b5 <waitpid+85>:        mov    %esi,(%eax)
>
>
> Time to revert to command line !
>
> I speak about this on the mighty bugtraq but noone listen. not even friend
> 9or.
> Anyways. I have to go clean the floor at walmart.
>
> ninjas are bad
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ