lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3d3168e50704100201p28bf4b2cg40fe7bfb9f31c3ab@mail.gmail.com>
Date: Tue, 10 Apr 2007 11:01:59 +0200
From: "Michal Majchrowicz" <m.majchrowicz@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow

Hi.
One thing to add about IE protected mode and all that stuff:
We get shell (in ie protected mode) using ani vulnerability.
Go to the IE temporary directory. It must have write access there :)
Then we use this: http://www.securityfocus.com/bid/23278
And we have SYSTEM access :)
Regards.


On 4/8/07, wac <waldoalvarez00@...il.com> wrote:
> Hello:
>
> Firefox 2.0.0.3 (at least in windows) *seems to be vulnerable*. I don't
> remember exactly what it did but it behaved in a strange way I believe some
> file handle was left open and had to kill it the hard way. I don't know what
> they say in the docs but if it ends up calling the user32 function and
> that's all it takes to trigger the bug. I was taking a peek at it's import
> tables and It imports from User32 the function LoadCursorA maybe that could
> be the guilty one.
>
> anyway test here and see what happens (that link is from dev code)
>
> http://sicotik.com/ink/test.html
>
> I'm not vulnerable anymore since quite some time ;) and I don't have much
> time to test right now
>
> Regards
> Waldo
>
>
> On 4/8/07, Michal Majchrowicz <m.majchrowicz@...il.com> wrote:
> > Hi.
> > There are more and more reports about FF and ani vulnerability.
> > There was already a presentation of working exploit.
> > The thing starts to annoy me and since I am far away from any windows
> > I wanted to share some of my speculations.
> > According to docs two things are obvious:
> > 1) Firefox doesn't support ANI cursors
> > 2) ANI is just few cur cursors packed together and presented as an
> animation.
> > So i have three possible ways of exploiting it:
> > 1) Since ANI files are vulnerable then maybe cur files are also
> > vulnerable. Firefox does support CUR files.
> > 2) If firefox doesn't support ANI files it only means it doesn't
> > render them. It doesn't mean it will not acept them in any way:)
> > 3) Maybe it is possible to rename foo.ani and rename it to foo.cur.
> > Then FF will call win api with this cursor. Windows API will recognize
> > this as ANI file and call vulnerable function .
> > As I said before these are just speculation. I hope someone will be
> > able to confirm or prove that some of them (or all) have no sense.
> > Happy Easter to everyone.
> > Regards Michal.
> >
> > On 4/4/07, Peter Ferrie <pferrie@...antec.com> wrote:
> > > >That's correct, Firefox doesn't support ANI files for cursors.
> > >
> > > Right, and it doesn't need to, because cursors are not the only way to
> reach the vulnerable code.
> > > Icons can do it, too.
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ