Full Disclosure mailing list archives
GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
From: Feher Tamas <etomcat () freemail hu>
Date: Wed, 18 Feb 2004 19:50:22 +0100 (CET)
Hello,
Now all we have to do is create a BMP with bfOffBits > 2^31, and we're in. cbSkip goes negative and the Read call clobbers the stack with our data. See attached for proof of concept. index.html has [img src=1.bmp] where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211. Brings down IE5 / OE5 (tested successfully on Win98)
Kaspersky Lab's AVP (and possibly other vendors') antivirus suites now detect the presence of this method in files by the name "Suspicion: Exploit.IMG-BMP". So any future worm or virus that tries to use this attack vector to inject itself automatically should be stopped from the very first minute. Even if it is a brand new malware. Sincerely: Tamas Feher. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution, (continued)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution madsaxon (Feb 18)
- Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Brent J. Nordquist (Feb 18)
- Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Jorrit Kronjee (Feb 19)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Cael Abal (Feb 18)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Joshua Levitsky (Feb 18)
- os x mass mailers petard (Feb 18)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Cael Abal (Feb 15)