lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <402FB34B.2010002@snosoft.com> From: dotslash at snosoft.com (KF) Subject: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Man ... those voices in my head... they keep screaming "DMCA"! -KF gta@...h.com wrote: > I downloaded the Microsoft source code. Easy enough. It's a lot > bigger than Linux, but there were a lot of people mirroring it and so > it didn't take long. > > Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS. > For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx: > > // Before we read the bits, seek to the correct location in the file > while (_bmfh.bfOffBits > (unsigned)cbRead) > { > BYTE abDummy[1024]; > int cbSkip; > > cbSkip = _bmfh.bfOffBits - cbRead; > > if (cbSkip > 1024) > cbSkip = 1024; > > if (!Read(abDummy, cbSkip)) > goto Cleanup; > > cbRead += cbSkip; > } > > .. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an > offset. Now all we have to do is create a BMP with bfOffBits > 2^31, > > and we're in. cbSkip goes negative and the Read call clobbers the > stack with our data. > > See attached for proof of concept. index.html has [img src=1.bmp] > where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211. > Bring it up in IE5 (tested successfully on Win98) and get > EIP=0x44332211. > > IE6 is not vulnerable, so I guess I'll get back to work. My Warhol > worm will have to wait a bit... > > .gta > PROPS TO the Fort and HAVE IT BE YOU. > > > > ------------------------------------------------------------------------ > > > Hello >
Powered by blists - more mailing lists