Full Disclosure mailing list archives
Re: [OSVDB Mods] Fwd: Internet Explorer Stack Exhaustion -> Flag [MSIE9] (fwd)
From: security curmudgeon <jericho () attrition org>
Date: Fri, 21 Dec 2012 04:33:03 -0600 (CST)
---------- Forwarded message ---------- From: security curmudgeon <jericho () attrition org> To: dukkha () Safe-mail net Cc: moderators () osvdb org Date: Fri, 21 Dec 2012 04:32:31 -0600 (CST) Subject: Re: [OSVDB Mods] Fwd: Internet Explorer Stack Exhaustion -> Flag [MSIE9] On Fri, 21 Dec 2012, dukkha () Safe-mail net wrote: : regarding to this vulnerability: : : http://osvdb.org/show/osvdb/88539 : : Why has this been flagged as "myth/fake"? Because your claims of code execution are wrong. : Paste the payload in a file, save it as "test.html" and run it in Internet Explorer: : : <table></for xmlns="1"> : <td><datetime><colgroup> : <id><dd><col> : </table><object> : <hr><base> : : It will cause a crash. Yes, it will cause a crash. : Use a debugger, you will see this is a stack exhaustion. Yes, stack exhaustion leads to a crash. : Also, if you have any basic knowledge, take a look at the registers (ESP : 003FDDD4 = Stack Exhaustion). There is no myth and no fake. I would like : to receive a statement why this has been flagged. If there is no reason, : please remove the message that this is a "myth/fake". Our official statement: You claimed code execution in your post. In case you forgot, let me remind and clarify: http://seclists.org/bugtraq/2012/Dec/109 "Successful exploitation may lead to arbitrary code execution." This is inaccurate. Thus, we have flagged the entry "Myth/Fake" because stack exhaustion leads to a crash, not code execution. There is a difference between a stack overflow (exhaustion) that crashes, and a stack-based buffer overflow that *may* lead to code execution. You have only proven stack exhaustion and a random crash. This is a common mistake among new "researchers". Your mail to us now about stack exhaustion is different than your initial post to Full-Disclosure. Your post to F-D was a) lacking relevant details to make sense of b) very different than your email to us. You need to figure out what details you think you found out, and stick to them. Posting apples and mailing us claiming aardvarks doesn't fly sir. You said in your F-D post, "The application is prone to a remote stack overflow vulnerability." which makes anyone immediately reading it believe it's a stack-based buffer overflow - especially since you claim it "may lead to arbitrary code execution". Your PoC does not demonstrate anything other than a straightforward crash (a stack overflow exception - 0xc00000fd). Further, you titled this "Microsoft Internet Explorer 9.x <= Remote Stack Overflow Vulnerability". I am giving you the benefit of the doubt and assuming you are claiming this in version 9.x, and not implying "less than or equal to 9.x". But just in case, did you even bother to test on multiple versions of 9.x? If so, why didn't you specify the exact version? Did you test before that and notice that MSIE 8 appears to crash, while MSIE 6 and 7 do not? I mean seriously, listing 9.x without any more details is amateur hour. I won't even get into the fact that you did not mention patches, or platform. If you feel that we are wrong, consider one of the replies to your post: http://seclists.org/bugtraq/2012/Dec/119 From: Fabio Baroni <fabiothebest () gmail com> Date: Thu, 20 Dec 2012 01:05:07 +0100 Jonathan Ness from the Microsoft Security Response Center says this IE9 POC is stack exhaustion, not a stack-based buffer overflow and Stack exhaustion is typically not exploitable for code execution. That is now two people that dispute your finding, yet you seem to think you know more than anyone while only posting the most pedestrian of advisories. While you can cry that you want to read Ness' statement, remember that you have published NOTHING other than a simple crash. You have not demonstrated anything else, and certainly not demonstrated code execution. You said to us, "Also, if you have any basic knowledge...", I would like to say that I believe OSVDB staff have more than basic knowledge. However, based on your F-D post, you don't get access to our reversing ninja. Based on the crap you posted, you only get access to me and my guinea pigs. Waffle and Tater aren't that good at reversing, but they can usually smell suspicious bullshit, as demonstrated when I try to hand feed them a vegetable in a desperate ploy to grab one for "mandatory pet time". Until you show that YOU have basic knowledge, you only get to deal with two guinea pigs and a washed up, bitter ex-penetration tester. For now, the entry remains Myth/Fake. The easiest way for you to get us to change our entry, is for you to a) demonstrate code execution or b) get the vendor to admit code execution is possible. If you can demonstrate code execution off this particular bug, I will Paypal you US$250 just for proving me wrong. Jericho p.s. Our database has 87510 entries, and only 401 are marked as Myth/Fake. Congrats, for making the very few! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [OSVDB Mods] Fwd: Internet Explorer Stack Exhaustion -> Flag [MSIE9] (fwd) security curmudgeon (Dec 21)