| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 02 Apr 2007 01:49:42 -0700 From: Alexander Sotirov <asotirov@...ermina.com> To: Larry Seltzer <Larry@...ryseltzer.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer wrote: > Perhaps your exploit proves this wrong, but it's the last I heard on the > subject. And even if there are only 256 slots how do you try more than > one? Isn't the first wrong one going to crash the browser? Read our advisory: http://www.determina.com/security.research/vulnerabilities/ani-header.html It explains that the vulnerable code is wrapped in an exception handler that recovers from access violations. That means that you can trigger the exploit multiple times and try different addresses, increasing the chance of hitting the right one (you only need 128 tries on average) A much simpler solution is to use heap spraying (which works fine on Vista) for systems that don't have DEP enabled. > As for the exploits in protected mode I'm sure there are things you can > do, but it's a huge step down from what you can do in XP and it's gone > as soon as you exit IE7 Unless somebody has a Vista exploit for the CSRSS kernel bug :-) In general I agree that protected mode presents additional constraints on exploitation, but I would reserve judgment until we've seen a few more exploits and more public research. Alex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists