| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <461034B2.6050502@heapoverflow.com> Date: Mon, 02 Apr 2007 00:39:46 +0200 From: "ad@...poverflow.com" <ad@...poverflow.com> To: Larry Seltzer <Larry@...ryseltzer.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Windows .ANI LoadAniIcon Stack Overflow http://www.milw0rm.com/exploits/3634 str0ke told me to test this one and no miracle, it works under vista and the default DEP settings doesnt catch it. ad@...poverflow.com wrote: > From the published poc yes vista is vulnerable , the poc doesn't > exploit it but shows enough.. > The whole windows browser crashes when you try to open the folder of the > malicious .ani file, > can't even attach it to an email because thunderbird crashes when I'm > browsing to attach the .ani, > EIP is overwritten by some wrong datas near the shellcode, . To resume > you don't have to open the file > on vista, displaying it is enough, there is less user interaction > required to exploit that bug on vista than older windows os, > > surprising... ...or not =) > > Larry Seltzer wrote: > >>>> It is completely possible to execute shellcode if we can do some DEP >>>> >>>> >> bypass (ie. ret2libc attack, etc..) >> >> In Vista this should have problems because of ASLR, right? >> >> I'm beginning to think that web-based attacks with this in Vista aren't >> really so scary. Even if you can get them to execute what can you really >> do in IE protected mode? You need to get the user to run the ANI outside >> of IE. Can anyone say what actually happens if you read an e-mail in the >> Vista Mail program with an attack ANI embedded? >> >> Larry Seltzer >> eWEEK.com Security Center Editor >> http://security.eweek.com/ >> http://blog.eweek.com/blogs/larry%5Fseltzer/ >> Contributing Editor, PC Magazine >> larryseltzer@...fdavis.com >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> . >> >> >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > . > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists