lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: security at greymagic.com (GreyMagic Security)
Subject: Re: Yet another IE aperture

> can you comment on this testcases:
>
> http://www.guninski.com/where_do_you_want_billg_to_go_today_1_demo2.html
> http://www.guninski.com/where_do_you_want_billg_to_go_today_1_demo.html

Interesting, both your exploit code as well as the exploit code we provide
in the advisory (Exploit section) do work flawlessly, it's an implementation
detail in the live PoC that's being blocked. Quite a regression for
Microsoft.

The reason we were getting Access denied errors is because of the way the
live PoC was implemented. Apparently, the patch is still applicable when the
XML script block is dynamically included via document.write(). Strangely
enough, the regression only applies to static HTML script blocks.

To those looking to test this on any document, we updated the live PoC to
use a static script block and it now works again.
http://www.greymagic.com/security/advisories/gm009-ie/

We added the following update to the original advisory:
...
Update - 9 Oct 2004

Apparently, there has been a regression in Internet Explorer that caused it
to be vulnerable to this issue once again. The regression was spotted by
Georgi Guninski.

Interestingly enough, the regression is only visible when the <script> block
is static in the page, dynamic blocks (via document.write) are protected.
...

Cheers


Powered by blists - more mailing lists