Full Disclosure mailing list archives
Re: Windows .ANI LoadAniIcon Stack Overflow
From: Alexander Sotirov <asotirov () determina com>
Date: Mon, 02 Apr 2007 01:49:42 -0700
Larry Seltzer wrote:
Perhaps your exploit proves this wrong, but it's the last I heard on the subject. And even if there are only 256 slots how do you try more than one? Isn't the first wrong one going to crash the browser?
Read our advisory: http://www.determina.com/security.research/vulnerabilities/ani-header.html It explains that the vulnerable code is wrapped in an exception handler that recovers from access violations. That means that you can trigger the exploit multiple times and try different addresses, increasing the chance of hitting the right one (you only need 128 tries on average) A much simpler solution is to use heap spraying (which works fine on Vista) for systems that don't have DEP enabled.
As for the exploits in protected mode I'm sure there are things you can do, but it's a huge step down from what you can do in XP and it's gone as soon as you exit IE7
Unless somebody has a Vista exploit for the CSRSS kernel bug :-) In general I agree that protected mode presents additional constraints on exploitation, but I would reserve judgment until we've seen a few more exploits and more public research. Alex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow dev code (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow ad () heapoverflow com (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow ad () heapoverflow com (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow -> Its ok, its in IE Protected Mode Haroon Meer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Dave Aitel (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Alexander Sotirov (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Thierry Zoller (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Jason Areff (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Jason Areff (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Morning Wood (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow dev code (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Thierry Zoller (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow Thierry Zoller (Apr 02)