Full Disclosure mailing list archives
Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
From: KF <dotslash () snosoft com>
Date: Sun, 15 Feb 2004 13:53:05 -0500
Btw this does nothing to the IE on Win2k Version: 5.00.3700.1040, Update Versions: SP4;Q824145:Q832894 -KF KF wrote:
Man ... those voices in my head... they keep screaming "DMCA"! -KF gta () hush com wrote:I downloaded the Microsoft source code. Easy enough. It's a lot bigger than Linux, but there were a lot of people mirroring it and so it didn't take long. Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS. For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx: // Before we read the bits, seek to the correct location in the file while (_bmfh.bfOffBits > (unsigned)cbRead) { BYTE abDummy[1024]; int cbSkip; cbSkip = _bmfh.bfOffBits - cbRead; if (cbSkip > 1024) cbSkip = 1024; if (!Read(abDummy, cbSkip)) goto Cleanup; cbRead += cbSkip; } .. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an offset. Now all we have to do is create a BMP with bfOffBits > 2^31, and we're in. cbSkip goes negative and the Read call clobbers the stack with our data. See attached for proof of concept. index.html has [img src=1.bmp] where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211. Bring it up in IE5 (tested successfully on Win98) and get EIP=0x44332211. IE6 is not vulnerable, so I guess I'll get back to work. My Warhol worm will have to wait a bit... .gta PROPS TO the Fort and HAVE IT BE YOU. ------------------------------------------------------------------------ Hello_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution, (continued)
- Re: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution morning_wood (Feb 18)
- RE: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Shawn K. Hall (RA/Security) (Feb 18)
- RE: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution CHS (Feb 18)
- RE: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Byron Copeland (Feb 18)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution madsaxon (Feb 18)
- Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Brent J. Nordquist (Feb 18)
- Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Jorrit Kronjee (Feb 19)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Cael Abal (Feb 18)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Joshua Levitsky (Feb 18)
- os x mass mailers petard (Feb 18)
- Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Cael Abal (Feb 15)