Re: Notepad popups in Internet Explorer and Out look

[Stephen Clowater <steve () stevesworld hopto org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That was my inital thought too, however I've heard rumors that you can use a 
virtual function table to override many of these sanity checks in the 
Windows.h API. However, If it was just as simple matter of overriding a 
function table I would expect to have seen some Proof of concept code by now. 
I expect that there is a way to overload the virtual function table, but I 
dont think its as trival as some people think it is.

In any event it needs more anyalisis. I've run a debugger agianst IE thru 
these exploits, There are no real blatent buffer overflows agianst the return 
adresses. So I'm not sure were to look if there is a vunerability.

On August 11, 2003 01:24 pm, Levinson, Karl wrote:
> Microsoft stated in the following article concerning a different
> vulnerability:
>
> http://www.microsoft.com/technet/security/bulletin/MS02-015.asp
>
> "The vulnerability would not enable the attacker to pass any parameters to
> the program. Microsoft is not aware of any programs installed by default in
> any version of Windows that, when called with no parameters, could be used
> to compromise the system."
>
> I could be wrong, but I would imagine this limitation would also apply to
> this Notepad / Wordpad popup issue and prevent it from being anything more
> than an annoyance... unless someone was able to, for example, use a
> different vulnerability beforehand to inject a new version of notepad.exe,
> sort of like the way the Mimail worm used the MS02-015 vulnerability above.
>
>
> -----Original Message-----
> From: Stephen Clowater [mailto:steve () stevesworld hopto org]
> Sent: Friday, August 08, 2003 11:45 AM
> To: Richard M. Smith; full-disclosure () lists netsys com
> Subject: [despammed] Re: [Full-disclosure] Notepad popups in Internet
> Explorer and Outlook
>
>
> I've heard people discusses the possibilities of useing this to execute
> arbitray code before, however, I've never managed to replicate anyones
> findings on this yet, however there has been quite a bit of talk on other
> lists in the past, and I've been asked by people to look into it but I cant
> seem to find anything ethier
>
> Supposivly you can use the same flaw to execute arbitrary code, however,
> I've been unable to see it replicated yet, so I wouldnt put much stalk into
> it.

- -- 
- -

******************************************************************************
Stephen Clowater

Now, it we had this sort of thing:
  yield -a     for yield to all traffic
  yield -t     for yield to trucks
  yield -f     for yield to people walking (yield foot)
  yield -d t*  for yield on days starting with t
...you'd have a lot of dead people at intersections, and traffic jams you
wouldn't believe...
(Discussion in comp.os.linux.misc on the intuitiveness of commands.)

The 3 case C++ function to determine the meaning of life:

char *meaingOfLife(){

#ifdef _REALITY_
char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ? 
                                                      /dev/null:/dev/random);
#endif

#ifdef _POLITICALY_CORRECT_
char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom");
#endif

#ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_
cout << "Sending Income Data From Hard Drive Now!\n";
System("dd if=/dev/urandom of=/dev/hda");
#endif

return Meaning_of_your_life;

}

*****************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/N+7rcyHa6bMWAzYRAk9eAKCLm0yK/9hs8eYQko06o/RVz9zK6wCdGW/l
MTJw6c/+MdcR9aEnFdO3jOY=
=wYxU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html