Full Disclosure mailing list archives

Re: Internet Explorer Ver6.0.2800.1106 vulnerability

From: "Aaron Gray" <angray () beeb net>
Date: Tue, 30 May 2006 00:58:18 +0100

No *obvious* way to inject code. Don't rule out something like thisworking:


<script>
var exploit96 = "some long-ass string that's just printable-96 chars"
var wwidth = (window.innerWidth)?yadda yadda...

and exploit96 just happens to end up someplace interesting/useful, and
gets successfully interpreted as executable code.....

A few years ago, somebody found an interesting overflow-the-environment
bug in a lot of telnetd's.  Of course, the *tough* part was the fact
that you had to cram literally 45 megabytes or so of crap down telnetd's
throat first, to get the memory layout where you needed it for when
something overflowed a buffer......


Ah, I am enlightened.

Pritty bloody tricky thing though.

Aaron

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Internet Explorer Ver 6.0.2800.1106 vulnerability 0x80 (May 28)
- Re: Internet Explorer Ver 6.0.2800.1106 vulnerability Javor Ninov (May 29)
  - Re: Internet Explorer Ver6.0.2800.1106 vulnerability Aaron Gray (May 29)
    - Re: Internet Explorer Ver6.0.2800.1106 vulnerability Valdis . Kletnieks (May 29)
    - Re: Internet Explorer Ver6.0.2800.1106 vulnerability Aaron Gray (May 29)
    - Re: Internet Explorer Ver6.0.2800.1106 vulnerability c0redump (May 29)
    - Re: Internet Explorer Ver6.0.2800.1106 vulnerability Aaron Gray (May 30)
    - Re: Internet Explorer Ver6.0.2800.1106 vulnerability c0redump (May 31)