RE: Buffer Overflow vulnerability in WindowsDisplay Manager [Suspected]

["Paul" <pvnick () gmail com>]

I can repro this on Windows XP Pro with IE7. However, it does not appear to
be exploitable. Internet explorer terminates after attempting to execute the
following statement:

034ED914   8C82 60770100    MOV WORD PTR DS:[EDX+17760],ES
EDX=0

So it's a null pointer bug.

Regards,
Paul
Greyhats Security 
 

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of InfoSecBOFH
Sent: Monday, January 02, 2006 1:54 PM
To: Stan Bubrouski
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
WindowsDisplay Manager [Suspected]

Crash dump would be nice too.

I have seen this once before but had issues replicating it with other
display drivers.

On 1/2/06, Stan Bubrouski <stan.bubrouski () gmail com> wrote:
> Well if you look at the fact there is no title on titlebar and the
> fact the active tab is Untitled, I'd hazard to guess its something he
> manually entered into the address bar, and so we don't even know if
> this is exploitable by clicking a link or whatnot.
>
> Not exactly sure why this was posted if no details are provided.
> Anything else for us Sumit?
>
> -sb
>
> On 1/2/06, Lise Moorveld <lise_moorveld () yahoo com> wrote:
> > Dear Sumit,
> >
> > Could you tell me how you exploited this buffer
> > overflow issue in Firefox so I can try and reproduce
> > it? I notice a lot of A's in your address bar but I'm
> > not sure whether that's it and if so, how many A's are
> > used.
> >
> > Regards,
> >
> > Lise
> >
> > --- Sumit Siddharth <sumit.siddharth () gmail com> wrote:
> >
> > > Hi,
> > > The Windows display manager crashes when a BOF is
> > > attempted on a mozilla
> > > firefox.
> > > This has different results on different windows
> > > machine.
> > > In Windows XP only the display manager crashes ,
> > > whereas on a Windows 2000
> > > server the BSOD(Blue screen of death )appears and
> > > the system hangs.
> > > I am using Firefox 1.0.6. I think that the bug is in
> > > the display driver and
> > > not with firefox. Kindly find a screen shot attached
> > > with this email.
> > >
> > > Thanks
> > > Sumit
> > >
> > >
> > > --
> > >
> > > Sumit Siddharth
> > > Information Security Analyst
> > > NII Consulting
> > > Web: www.nii.co.in
> > > ------------------------------------
> > > NII Security Advisories
> > > http://www.nii.co.in/resources/advisories.html
> > > ------------------------------------
> > > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia -
> > http://secunia.com/
> >
> >
> >
> >
> > __________________________________________
> > Yahoo! DSL – Something to write home about.
> > Just $16.99/mo. or less.
> > dsl.yahoo.com
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.9/217 - Release Date: 12/30/2005
 
  

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.11/219 - Release Date: 1/2/2006
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/