Full Disclosure mailing list archives
Re: Internet Explorer Ver6.0.2800.1106 vulnerability
From: "Aaron Gray" <angray () beeb net>
Date: Tue, 30 May 2006 00:58:18 +0100
No *obvious* way to inject code. Don't rule out something like this working:<script> var exploit96 = "some long-ass string that's just printable-96 chars" var wwidth = (window.innerWidth)?yadda yadda... and exploit96 just happens to end up someplace interesting/useful, and gets successfully interpreted as executable code..... A few years ago, somebody found an interesting overflow-the-environment bug in a lot of telnetd's. Of course, the *tough* part was the fact that you had to cram literally 45 megabytes or so of crap down telnetd's throat first, to get the memory layout where you needed it for when something overflowed a buffer......
Ah, I am enlightened. Pritty bloody tricky thing though. Aaron _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Internet Explorer Ver 6.0.2800.1106 vulnerability 0x80 (May 28)
- Re: Internet Explorer Ver 6.0.2800.1106 vulnerability Javor Ninov (May 29)
- Re: Internet Explorer Ver6.0.2800.1106 vulnerability Aaron Gray (May 29)
- Re: Internet Explorer Ver6.0.2800.1106 vulnerability Valdis . Kletnieks (May 29)
- Re: Internet Explorer Ver6.0.2800.1106 vulnerability Aaron Gray (May 29)
- Re: Internet Explorer Ver6.0.2800.1106 vulnerability c0redump (May 29)
- Re: Internet Explorer Ver6.0.2800.1106 vulnerability Aaron Gray (May 30)
- Re: Internet Explorer Ver6.0.2800.1106 vulnerability c0redump (May 31)
- Re: Internet Explorer Ver6.0.2800.1106 vulnerability Aaron Gray (May 29)
- Re: Internet Explorer Ver 6.0.2800.1106 vulnerability Javor Ninov (May 29)