lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <402FC011.8000302@snosoft.com> From: dotslash at snosoft.com (KF) Subject: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Btw this does nothing to the IE on Win2k Version: 5.00.3700.1040, Update Versions: SP4;Q824145:Q832894 -KF KF wrote: > Man ... those voices in my head... they keep screaming "DMCA"! > -KF > > gta@...h.com wrote: > >> I downloaded the Microsoft source code. Easy enough. It's a lot >> bigger than Linux, but there were a lot of people mirroring it and so >> it didn't take long. >> >> Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS. >> For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx: >> >> // Before we read the bits, seek to the correct location in the file >> while (_bmfh.bfOffBits > (unsigned)cbRead) >> { >> BYTE abDummy[1024]; >> int cbSkip; >> >> cbSkip = _bmfh.bfOffBits - cbRead; >> if (cbSkip > 1024) >> cbSkip = 1024; >> >> if (!Read(abDummy, cbSkip)) >> goto Cleanup; >> cbRead += cbSkip; >> } >> >> .. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an >> offset. Now all we have to do is create a BMP with bfOffBits > 2^31, >> >> and we're in. cbSkip goes negative and the Read call clobbers the >> stack with our data. >> >> See attached for proof of concept. index.html has [img src=1.bmp] >> where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211. >> Bring it up in IE5 (tested successfully on Win98) and get >> EIP=0x44332211. >> >> IE6 is not vulnerable, so I guess I'll get back to work. My Warhol >> worm will have to wait a bit... >> >> .gta >> PROPS TO the Fort and HAVE IT BE YOU. >> >> >> >> ------------------------------------------------------------------------ >> >> >> Hello >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists