lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <402FB34B.2010002@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: GAYER THAN AIDS ADVISORY #01: IE 5 remote code
 execution

Man ... those voices in my head... they keep screaming "DMCA"!
-KF

gta@...h.com wrote:
> I downloaded the Microsoft source code.  Easy enough.  It's a lot
> bigger than Linux, but there were a lot of people mirroring it and so
> it didn't take long.
> 
> Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS.
> For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx:
> 
>     // Before we read the bits, seek to the correct location in the file
>     while (_bmfh.bfOffBits > (unsigned)cbRead)
>     {
>         BYTE abDummy[1024];
>         int cbSkip;
> 
>         cbSkip = _bmfh.bfOffBits - cbRead;
>         
>         if (cbSkip > 1024)
>             cbSkip = 1024;
> 
>         if (!Read(abDummy, cbSkip))
>             goto Cleanup;
>             
>         cbRead += cbSkip;
>     }
> 
> .. Rrrrriiiiggghhhttt.  Way to go, using a signed integer for an
> offset.  Now all we have to do is create a BMP with bfOffBits > 2^31,
> 
> and we're in. cbSkip goes negative and the Read call clobbers the
> stack with our data.
> 
> See attached for proof of concept.  index.html has [img src=1.bmp]
> where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
> Bring it up in IE5 (tested successfully on Win98) and get
> EIP=0x44332211.
> 
> IE6 is not vulnerable, so I guess I'll get back to work.  My Warhol
> worm will have to wait a bit...
> 
> .gta
> PROPS TO the Fort and HAVE IT BE YOU.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
>   Hello
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ