| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200605292048.k4TKmY8n013943@turing-police.cc.vt.edu>
Date: Mon May 29 21:48:55 2006
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Internet Explorer Ver6.0.2800.1106 vulnerability
On Mon, 29 May 2006 21:30:31 BST, Aaron Gray said:
> Look at the original post and you will see there is no where to inject any
> code.
>
> Aaron
>
> >> <script>
> >> var wwidth = (window.innerWidth)?window.innerWidth:
> >> ((document.all
> >> )?document.body.offsetWidth:null);
> >>
> >> while (wwidth)
> >> {
> >> self.resizeBy(-999999, -1);
> >> }
> >>
> >> </script>
No *obvious* way to inject code. Don't rule out something like this working:
<script>
var exploit96 = "some long-ass string that's just printable-96 chars"
var wwidth = (window.innerWidth)?yadda yadda...
and exploit96 just happens to end up someplace interesting/useful, and
gets successfully interpreted as executable code.....
A few years ago, somebody found an interesting overflow-the-environment
bug in a lot of telnetd's. Of course, the *tough* part was the fact
that you had to cram literally 45 megabytes or so of crap down telnetd's
throat first, to get the memory layout where you needed it for when
something overflowed a buffer......
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060529/e8ec6aaa/attachment.bin
Powered by blists - more mailing lists