[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3d3168e50704081005m13b55295tf377b4dfc7219e@mail.gmail.com>
Date: Sun, 8 Apr 2007 19:05:35 +0200
From: "Michal Majchrowicz" <m.majchrowicz@...il.com>
To: "Peter Ferrie" <pferrie@...antec.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow
Hi.
There are more and more reports about FF and ani vulnerability.
There was already a presentation of working exploit.
The thing starts to annoy me and since I am far away from any windows
I wanted to share some of my speculations.
According to docs two things are obvious:
1) Firefox doesn't support ANI cursors
2) ANI is just few cur cursors packed together and presented as an animation.
So i have three possible ways of exploiting it:
1) Since ANI files are vulnerable then maybe cur files are also
vulnerable. Firefox does support CUR files.
2) If firefox doesn't support ANI files it only means it doesn't
render them. It doesn't mean it will not acept them in any way:)
3) Maybe it is possible to rename foo.ani and rename it to foo.cur.
Then FF will call win api with this cursor. Windows API will recognize
this as ANI file and call vulnerable function .
As I said before these are just speculation. I hope someone will be
able to confirm or prove that some of them (or all) have no sense.
Happy Easter to everyone.
Regards Michal.
On 4/4/07, Peter Ferrie <pferrie@...antec.com> wrote:
> >That's correct, Firefox doesn't support ANI files for cursors.
>
> Right, and it doesn't need to, because cursors are not the only way to reach the vulnerable code.
> Icons can do it, too.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists