Full Disclosure mailing list archives
Re: MS05-036
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Thu, 14 Jul 2005 19:14:19 +0100
----Original Message----
From: David Chastain Message-Id: 7381300.1121354089894.JavaMail.dlcmacosx () mac com
Has anyone seen or does anyone know of an exploit in HTML code that would target the MCMM vulnerability?
Nope. I haven't tried any experimentation yet, but my first guess would be that the overflow is in one of the functions that have to deal with strings, so maybe it would be worth trying to get very long colour names passed down from html code until the browser ends up calling CMConvertColorNameToIndex on them. Or perhaps we want to try and overflow CMGetNamedProfileInfo? cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MS05-036 David Chastain (Jul 14)
- Re: MS05-036 Dave Korn (Jul 14)