[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.LNX.2.00.1212210432420.11852@forced.attrition.org>
Date: Fri, 21 Dec 2012 04:33:03 -0600 (CST)
From: security curmudgeon <jericho@...rition.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [OSVDB Mods] Fwd: Internet Explorer Stack
Exhaustion -> Flag [MSIE9] (fwd)
---------- Forwarded message ----------
From: security curmudgeon <jericho@...rition.org>
To: dukkha@...e-mail.net
Cc: moderators@...db.org
Date: Fri, 21 Dec 2012 04:32:31 -0600 (CST)
Subject: Re: [OSVDB Mods] Fwd: Internet Explorer Stack Exhaustion -> Flag
[MSIE9]
On Fri, 21 Dec 2012, dukkha@...e-mail.net wrote:
: regarding to this vulnerability:
:
: http://osvdb.org/show/osvdb/88539
:
: Why has this been flagged as "myth/fake"?
Because your claims of code execution are wrong.
: Paste the payload in a file, save it as "test.html" and run it in Internet Explorer:
:
: <table></for xmlns="1">
: <td><datetime><colgroup>
: <id><dd><col>
: </table><object>
: <hr><base>
:
: It will cause a crash.
Yes, it will cause a crash.
: Use a debugger, you will see this is a stack exhaustion.
Yes, stack exhaustion leads to a crash.
: Also, if you have any basic knowledge, take a look at the registers (ESP
: 003FDDD4 = Stack Exhaustion). There is no myth and no fake. I would like
: to receive a statement why this has been flagged. If there is no reason,
: please remove the message that this is a "myth/fake".
Our official statement:
You claimed code execution in your post. In case you forgot, let me
remind and clarify:
http://seclists.org/bugtraq/2012/Dec/109
"Successful exploitation may lead to arbitrary code execution."
This is inaccurate. Thus, we have flagged the entry "Myth/Fake" because
stack exhaustion leads to a crash, not code execution. There is a
difference between a stack overflow (exhaustion) that crashes, and a
stack-based buffer overflow that *may* lead to code execution. You have
only proven stack exhaustion and a random crash. This is a common mistake
among new "researchers".
Your mail to us now about stack exhaustion is different than your initial
post to Full-Disclosure. Your post to F-D was a) lacking relevant details
to make sense of b) very different than your email to us. You need to
figure out what details you think you found out, and stick to them.
Posting apples and mailing us claiming aardvarks doesn't fly sir.
You said in your F-D post, "The application is prone to a remote stack
overflow vulnerability." which makes anyone immediately reading it believe
it's a stack-based buffer overflow - especially since you claim it "may
lead to arbitrary code execution". Your PoC does not demonstrate anything
other than a straightforward crash (a stack overflow exception -
0xc00000fd).
Further, you titled this "Microsoft Internet Explorer 9.x <= Remote Stack
Overflow Vulnerability". I am giving you the benefit of the doubt and
assuming you are claiming this in version 9.x, and not implying "less than
or equal to 9.x". But just in case, did you even bother to test on
multiple versions of 9.x? If so, why didn't you specify the exact version?
Did you test before that and notice that MSIE 8 appears to crash, while
MSIE 6 and 7 do not? I mean seriously, listing 9.x without any more
details is amateur hour. I won't even get into the fact that you did not
mention patches, or platform.
If you feel that we are wrong, consider one of the replies to your post:
http://seclists.org/bugtraq/2012/Dec/119
From: Fabio Baroni <fabiothebest () gmail com>
Date: Thu, 20 Dec 2012 01:05:07 +0100
Jonathan Ness from the Microsoft Security Response Center says this
IE9 POC is stack exhaustion, not a stack-based buffer overflow and
Stack exhaustion is typically not exploitable for code execution.
That is now two people that dispute your finding, yet you seem to think
you know more than anyone while only posting the most pedestrian of
advisories. While you can cry that you want to read Ness' statement,
remember that you have published NOTHING other than a simple crash. You
have not demonstrated anything else, and certainly not demonstrated code
execution.
You said to us, "Also, if you have any basic knowledge...", I would like
to say that I believe OSVDB staff have more than basic knowledge. However,
based on your F-D post, you don't get access to our reversing ninja. Based
on the crap you posted, you only get access to me and my guinea pigs.
Waffle and Tater aren't that good at reversing, but they can usually smell
suspicious bullshit, as demonstrated when I try to hand feed them a
vegetable in a desperate ploy to grab one for "mandatory pet time". Until
you show that YOU have basic knowledge, you only get to deal with two
guinea pigs and a washed up, bitter ex-penetration tester. For now, the
entry remains Myth/Fake.
The easiest way for you to get us to change our entry, is for you to a)
demonstrate code execution or b) get the vendor to admit code execution is
possible. If you can demonstrate code execution off this particular bug, I
will Paypal you US$250 just for proving me wrong.
Jericho
p.s. Our database has 87510 entries, and only 401 are marked as Myth/Fake.
Congrats, for making the very few!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists