lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Apr 2007 10:21:02 -0400 From: "Brooks, Shane" <SBrooks@...ngelake.com> To: "Michal Majchrowicz" <m.majchrowicz@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Windows .ANI LoadAniIcon Stack Overflow Do you have a working exploit for this vuln? The SecFocus page says none is publicly available. S -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Michal Majchrowicz Sent: Tuesday, April 10, 2007 5:02 AM To: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow Hi. One thing to add about IE protected mode and all that stuff: We get shell (in ie protected mode) using ani vulnerability. Go to the IE temporary directory. It must have write access there :) Then we use this: http://www.securityfocus.com/bid/23278 And we have SYSTEM access :) Regards. On 4/8/07, wac <waldoalvarez00@...il.com> wrote: > Hello: > > Firefox 2.0.0.3 (at least in windows) *seems to be vulnerable*. I don't > remember exactly what it did but it behaved in a strange way I believe some > file handle was left open and had to kill it the hard way. I don't know what > they say in the docs but if it ends up calling the user32 function and > that's all it takes to trigger the bug. I was taking a peek at it's import > tables and It imports from User32 the function LoadCursorA maybe that could > be the guilty one. > > anyway test here and see what happens (that link is from dev code) > > http://sicotik.com/ink/test.html > > I'm not vulnerable anymore since quite some time ;) and I don't have much > time to test right now > > Regards > Waldo > > > On 4/8/07, Michal Majchrowicz <m.majchrowicz@...il.com> wrote: > > Hi. > > There are more and more reports about FF and ani vulnerability. > > There was already a presentation of working exploit. > > The thing starts to annoy me and since I am far away from any windows > > I wanted to share some of my speculations. > > According to docs two things are obvious: > > 1) Firefox doesn't support ANI cursors > > 2) ANI is just few cur cursors packed together and presented as an > animation. > > So i have three possible ways of exploiting it: > > 1) Since ANI files are vulnerable then maybe cur files are also > > vulnerable. Firefox does support CUR files. > > 2) If firefox doesn't support ANI files it only means it doesn't > > render them. It doesn't mean it will not acept them in any way:) > > 3) Maybe it is possible to rename foo.ani and rename it to foo.cur. > > Then FF will call win api with this cursor. Windows API will recognize > > this as ANI file and call vulnerable function . > > As I said before these are just speculation. I hope someone will be > > able to confirm or prove that some of them (or all) have no sense. > > Happy Easter to everyone. > > Regards Michal. > > > > On 4/4/07, Peter Ferrie <pferrie@...antec.com> wrote: > > > >That's correct, Firefox doesn't support ANI files for cursors. > > > > > > Right, and it doesn't need to, because cursors are not the only way to > reach the vulnerable code. > > > Icons can do it, too. > > > > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/754 - Release Date: 4/9/2007 10:59 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/754 - Release Date: 4/9/2007 10:59 PM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists