lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 02 Apr 2007 00:39:46 +0200
From: "ad@...poverflow.com" <ad@...poverflow.com>
To: Larry Seltzer <Larry@...ryseltzer.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow

http://www.milw0rm.com/exploits/3634

str0ke told me to test this one and no miracle, it works under vista and 
the default DEP settings doesnt catch it.


ad@...poverflow.com wrote:
>  From the published poc yes vista is vulnerable , the poc doesn't 
> exploit it but shows enough..
> The whole windows browser crashes when you try to open the folder of the 
> malicious .ani file,
> can't even attach it to an email because thunderbird crashes when I'm 
> browsing to attach the .ani,
> EIP is overwritten by some wrong datas near the shellcode, . To resume 
> you don't have to open the file
> on vista, displaying it is enough, there is less user interaction 
> required to exploit that bug on vista than older windows os,
>
> surprising...   ...or not =)
>  
> Larry Seltzer wrote:
>   
>>>> It is completely possible to execute shellcode if we can do some DEP
>>>>       
>>>>         
>> bypass (ie. ret2libc attack, etc..)  
>>
>> In Vista this should have problems because of ASLR, right?
>>
>> I'm beginning to think that web-based attacks with this in Vista aren't
>> really so scary. Even if you can get them to execute what can you really
>> do in IE protected mode? You need to get the user to run the ANI outside
>> of IE. Can anyone say what actually happens if you read an e-mail in the
>> Vista Mail program with an attack ANI embedded?
>>
>> Larry Seltzer
>> eWEEK.com Security Center Editor
>> http://security.eweek.com/
>> http://blog.eweek.com/blogs/larry%5Fseltzer/
>> Contributing Editor, PC Magazine
>> larryseltzer@...fdavis.com 
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> .
>>
>>   
>>     
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> .
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ