lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3fa2f5bb1003011640i6c49dc25s83d20f94fb1ffd3c@mail.gmail.com>
Date: Tue, 2 Mar 2010 01:40:32 +0100
From: Berend-Jan Wever <berendjanwever@...il.com>
To: Full-disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: Internet Exploiter 2 - bypassing DEP

It seems my English is not as good as I thought and I accidentally led Ryan
Naraine <http://blogs.zdnet.com/security/?p=5573>, Larry
Seltzer<http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/#comments>
and
probably others to come to conclusions such as that I released a weaponized
0-day that bypasses both ASLR+DEP in current versions of MSIE and Windows
using a completely new technique and that I did so as a Google employee.

However, let me try to explain better and to correct any ambiguity I may
have created in my first blog post:
- I have recently released an exploit that I developed in 2005 (before I was
employed by either MS or Google).
- I am releasing this as an individual as part of my new-years
resolution<http://skypher.com/index.php/2010/01/02/new-years-resolutions/>
to
dump random stuff from my harddisk onto the tubes. (I have a personal
interest in security outside of my work, every now and then I find enough
time to work on and release stuff like this).
- The exploit targets a bug that was fixed in
2005<http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php>,
that only affected MSIE 6.0 and earlier.
- The exploit shows how to implement the well known ret-into-libc technique
(using a heap spray) to bypass DEP.

- The exploit does not contain anything that is not already public, other
than how to implement a ret-into-libc using a heap-spray to exploit complex
memory corruption bugs such as the DHTML race condition it targets.
- The exploit does not bypass ASLR.
- Using ret-into-libc to bypass DEP affects any application that has a
vulnerability that allows an attacker to use a ret-into-libc attack - this
is not MSIE specific.

I hope this helps clarify some things. But, not being a native English
speaker, I may inadvertently have said things completely wrong again. I look
forward to correcting my mistakes as they show up on other news sites in the
future.

Cheers,
SkyLined

Berend-Jan Wever <berendjanwever@...il.com>
http://skypher.com/SkyLined



On Mon, Mar 1, 2010 at 4:51 PM, Berend-Jan Wever
<berendjanwever@...il.com>wrote:

> Hey all,
>
> I released a version of my Internet Exploiter 2 exploit from 2005 that
> bypasses DEP. If you are familiar with my Internet Exploiter series of
> exploits and/or are interested in how to use heap-spraying to bypass DEP,
> you may like this:
> http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/
>
> Cheers,
> SkyLined
> <http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/>
> Berend-Jan Wever <berendjanwever@...il.com>
> http://skypher.com/SkyLined
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ