Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MS05-036

From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Thu, 14 Jul 2005 19:14:19 +0100
----Original Message----

From: David Chastain
Message-Id: 7381300.1121354089894.JavaMail.dlcmacosx () mac com



Has anyone seen or does anyone know of an exploit in HTML code that would
target the MCMM vulnerability?


  Nope.  I haven't tried any experimentation yet, but my first guess would
be that the overflow is in one of the functions that have to deal with
strings, so maybe it would be worth trying to get very long colour names
passed down from html code until the browser ends up calling
CMConvertColorNameToIndex on them.

  Or perhaps we want to try and overflow CMGetNamedProfileInfo?

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: