Full Disclosure mailing list archives
Re: Notepad popups in Internet Explorer and Out look
From: Stephen Clowater <steve () stevesworld hopto org>
Date: Mon, 11 Aug 2003 16:30:49 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That was my inital thought too, however I've heard rumors that you can use a virtual function table to override many of these sanity checks in the Windows.h API. However, If it was just as simple matter of overriding a function table I would expect to have seen some Proof of concept code by now. I expect that there is a way to overload the virtual function table, but I dont think its as trival as some people think it is. In any event it needs more anyalisis. I've run a debugger agianst IE thru these exploits, There are no real blatent buffer overflows agianst the return adresses. So I'm not sure were to look if there is a vunerability. On August 11, 2003 01:24 pm, Levinson, Karl wrote:
Microsoft stated in the following article concerning a different vulnerability: http://www.microsoft.com/technet/security/bulletin/MS02-015.asp "The vulnerability would not enable the attacker to pass any parameters to the program. Microsoft is not aware of any programs installed by default in any version of Windows that, when called with no parameters, could be used to compromise the system." I could be wrong, but I would imagine this limitation would also apply to this Notepad / Wordpad popup issue and prevent it from being anything more than an annoyance... unless someone was able to, for example, use a different vulnerability beforehand to inject a new version of notepad.exe, sort of like the way the Mimail worm used the MS02-015 vulnerability above. -----Original Message----- From: Stephen Clowater [mailto:steve () stevesworld hopto org] Sent: Friday, August 08, 2003 11:45 AM To: Richard M. Smith; full-disclosure () lists netsys com Subject: [despammed] Re: [Full-disclosure] Notepad popups in Internet Explorer and Outlook I've heard people discusses the possibilities of useing this to execute arbitray code before, however, I've never managed to replicate anyones findings on this yet, however there has been quite a bit of talk on other lists in the past, and I've been asked by people to look into it but I cant seem to find anything ethier Supposivly you can use the same flaw to execute arbitrary code, however, I've been unable to see it replicated yet, so I wouldnt put much stalk into it.
- -- - - ****************************************************************************** Stephen Clowater Now, it we had this sort of thing: yield -a for yield to all traffic yield -t for yield to trucks yield -f for yield to people walking (yield foot) yield -d t* for yield on days starting with t ...you'd have a lot of dead people at intersections, and traffic jams you wouldn't believe... (Discussion in comp.os.linux.misc on the intuitiveness of commands.) The 3 case C++ function to determine the meaning of life: char *meaingOfLife(){ #ifdef _REALITY_ char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ? /dev/null:/dev/random); #endif #ifdef _POLITICALY_CORRECT_ char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom"); #endif #ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_ cout << "Sending Income Data From Hard Drive Now!\n"; System("dd if=/dev/urandom of=/dev/hda"); #endif return Meaning_of_your_life; } ***************************************************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/N+7rcyHa6bMWAzYRAk9eAKCLm0yK/9hs8eYQko06o/RVz9zK6wCdGW/l MTJw6c/+MdcR9aEnFdO3jOY= =wYxU -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Notepad popups in Internet Explorer and Out look Levinson, Karl (Aug 11)
- Re: Notepad popups in Internet Explorer and Out look Stephen Clowater (Aug 11)