[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <402FC011.8000302@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: GAYER THAN AIDS ADVISORY #01: IE 5 remote code
execution
Btw this does nothing to the IE on Win2k Version: 5.00.3700.1040,
Update Versions: SP4;Q824145:Q832894
-KF
KF wrote:
> Man ... those voices in my head... they keep screaming "DMCA"!
> -KF
>
> gta@...h.com wrote:
>
>> I downloaded the Microsoft source code. Easy enough. It's a lot
>> bigger than Linux, but there were a lot of people mirroring it and so
>> it didn't take long.
>>
>> Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS.
>> For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx:
>>
>> // Before we read the bits, seek to the correct location in the file
>> while (_bmfh.bfOffBits > (unsigned)cbRead)
>> {
>> BYTE abDummy[1024];
>> int cbSkip;
>>
>> cbSkip = _bmfh.bfOffBits - cbRead;
>> if (cbSkip > 1024)
>> cbSkip = 1024;
>>
>> if (!Read(abDummy, cbSkip))
>> goto Cleanup;
>> cbRead += cbSkip;
>> }
>>
>> .. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an
>> offset. Now all we have to do is create a BMP with bfOffBits > 2^31,
>>
>> and we're in. cbSkip goes negative and the Read call clobbers the
>> stack with our data.
>>
>> See attached for proof of concept. index.html has [img src=1.bmp]
>> where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
>> Bring it up in IE5 (tested successfully on Win98) and get
>> EIP=0x44332211.
>>
>> IE6 is not vulnerable, so I guess I'll get back to work. My Warhol
>> worm will have to wait a bit...
>>
>> .gta
>> PROPS TO the Fort and HAVE IT BE YOU.
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> Hello
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists