lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <009a01c95a56$6d26b3b0$47741b10$@moore@insomniasec.com>
Date: Wed, 10 Dec 2008 12:32:33 +1300
From: "Brett Moore" <brett.moore@...omniasec.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Insomnia : ISVA-081209.1 - IE Webdav Request
	Parsing Heap Corruption Vulnerability

__________________________________________________________________

 Insomnia Security Vulnerability Advisory: ISVA-081209.1
___________________________________________________________________

 Name: IE Webdav Request Parsing Heap Corruption Vulnerability 
 Released: 09 December 2008
  
 Vendor Link: 
    http://www.microsoft.com/
  
 Affected Products:
    Microsoft Internet Explorer 7 Running On Vista
    Requires Office 2007
 
 Original Advisory: 
    http://www.insomniasec.com/advisories/ISVA-081209.1.htm
 
 Researcher: 
    Brett Moore, Insomnia Security
    http://www.insomniasec.com
___________________________________________________________________

_______________

 Description
_______________

A vulnerability was found in the way that webdav requests are
cached and then later retrieved by Internet Explorer. This results
in the use of uninitialized memory which under the right situation 
can lead to command execution.

_______________

 Details
_______________

When Internet Explorer loads a file from a webdav share, a copy of
the file is stored in

\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV

This copy is used as the cached version of the file, and is loaded 
if a page refresh is done.

If the size of the requested file is larger that 190 characters then
the webdav handling service will not save it correctly.

Internet Explorer assumes that the file was stored, and is cached, so
when a refresh is done it attempts to load the file information from
the cached data.

This leads to a heap corruption with various values read that lead 
to exploitable conditions.

_______________

 Solution
_______________

Microsoft have released a security update to address this issue;
http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx

_______________

 Legals
_______________

The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this
information.

___________________________________________________________________
 
Insomnia Security Vulnerability Advisory: ISVA-081209.1
___________________________________________________________________

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ