Full Disclosure mailing list archives
Re: Windows .ANI LoadAniIcon Stack Overflow
From: "Brooks, Shane" <SBrooks () orangelake com>
Date: Tue, 10 Apr 2007 10:21:02 -0400
Do you have a working exploit for this vuln? The SecFocus page says none is publicly available. S -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Michal Majchrowicz Sent: Tuesday, April 10, 2007 5:02 AM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow Hi. One thing to add about IE protected mode and all that stuff: We get shell (in ie protected mode) using ani vulnerability. Go to the IE temporary directory. It must have write access there :) Then we use this: http://www.securityfocus.com/bid/23278 And we have SYSTEM access :) Regards. On 4/8/07, wac <waldoalvarez00 () gmail com> wrote:
Hello: Firefox 2.0.0.3 (at least in windows) *seems to be vulnerable*. I don't remember exactly what it did but it behaved in a strange way I believe some file handle was left open and had to kill it the hard way. I don't know what they say in the docs but if it ends up calling the user32 function and that's all it takes to trigger the bug. I was taking a peek at it's import tables and It imports from User32 the function LoadCursorA maybe that could be the guilty one. anyway test here and see what happens (that link is from dev code) http://sicotik.com/ink/test.html I'm not vulnerable anymore since quite some time ;) and I don't have much time to test right now Regards Waldo On 4/8/07, Michal Majchrowicz <m.majchrowicz () gmail com> wrote:Hi. There are more and more reports about FF and ani vulnerability. There was already a presentation of working exploit. The thing starts to annoy me and since I am far away from any windows I wanted to share some of my speculations. According to docs two things are obvious: 1) Firefox doesn't support ANI cursors 2) ANI is just few cur cursors packed together and presented as ananimation.So i have three possible ways of exploiting it: 1) Since ANI files are vulnerable then maybe cur files are also vulnerable. Firefox does support CUR files. 2) If firefox doesn't support ANI files it only means it doesn't render them. It doesn't mean it will not acept them in any way:) 3) Maybe it is possible to rename foo.ani and rename it to foo.cur. Then FF will call win api with this cursor. Windows API will recognize this as ANI file and call vulnerable function . As I said before these are just speculation. I hope someone will be able to confirm or prove that some of them (or all) have no sense. Happy Easter to everyone. Regards Michal. On 4/4/07, Peter Ferrie <pferrie () symantec com> wrote:That's correct, Firefox doesn't support ANI files for cursors.Right, and it doesn't need to, because cursors are not the only way toreach the vulnerable code.Icons can do it, too. _______________________________________________ Full-Disclosure - We believe in it. Charter:http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter:http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/754 - Release Date: 4/9/2007 10:59 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/754 - Release Date: 4/9/2007 10:59 PM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Windows .ANI LoadAniIcon Stack Overflow, (continued)
- Re: Windows .ANI LoadAniIcon Stack Overflow Daniel Veditz (Apr 03)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 03)
- Re: Windows .ANI LoadAniIcon Stack Overflow Alexander Sotirov (Apr 03)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 03)
- Re: Windows .ANI LoadAniIcon Stack Overflow Alexander Sotirov (Apr 03)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 03)
- Re: Windows .ANI LoadAniIcon Stack Overflow Peter Ferrie (Apr 04)
- Re: Windows .ANI LoadAniIcon Stack Overflow Michal Majchrowicz (Apr 08)
- Re: Windows .ANI LoadAniIcon Stack Overflow wac (Apr 08)
- Re: Windows .ANI LoadAniIcon Stack Overflow Michal Majchrowicz (Apr 10)
- Re: Windows .ANI LoadAniIcon Stack Overflow Brooks, Shane (Apr 10)
- Re: Windows .ANI LoadAniIcon Stack Overflow Knud Erik Højgaard (Apr 10)
- Re: Windows .ANI LoadAniIcon Stack Overflow Chris Lyon (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow dev code (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow James Matthews (Apr 01)