lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <200402150608.i1F68xLe025526@mailserver2.hushmail.com> From: gta at hush.com (gta@...h.com) Subject: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution I downloaded the Microsoft source code. Easy enough. It's a lot bigger than Linux, but there were a lot of people mirroring it and so it didn't take long. Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS. For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx: // Before we read the bits, seek to the correct location in the file while (_bmfh.bfOffBits > (unsigned)cbRead) { BYTE abDummy[1024]; int cbSkip; cbSkip = _bmfh.bfOffBits - cbRead; if (cbSkip > 1024) cbSkip = 1024; if (!Read(abDummy, cbSkip)) goto Cleanup; cbRead += cbSkip; } .. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an offset. Now all we have to do is create a BMP with bfOffBits > 2^31, and we're in. cbSkip goes negative and the Read call clobbers the stack with our data. See attached for proof of concept. index.html has [img src=1.bmp] where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211. Bring it up in IE5 (tested successfully on Win98) and get EIP=0x44332211. IE6 is not vulnerable, so I guess I'll get back to work. My Warhol worm will have to wait a bit... .gta PROPS TO the Fort and HAVE IT BE YOU. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040214/ef6c5a32/index.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 1.bmp Type: application/octet-stream Size: 5078 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040214/ef6c5a32/1.obj
Powered by blists - more mailing lists