[Full-Disclosure] RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too)

• Previous message: Jonathan A. Zdziarski: "[Full-Disclosure] VSNL POP Webmail Referer Vulnerability"
• Next in thread: M Saqib Ilyas: "Re: [Full-Disclosure] RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too)"
• Reply: M Saqib Ilyas: "Re: [Full-Disclosure] RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Fri, 12 Sep 2003 14:53:29 -0700

> -----Original Message-----
> From: jelmer jkuperus@planet.nl
> Sent: Fri, 12 Sep 2003 14:20:59 +0200
> Subject: Internet explorer 6 on windows XP allows exection of
> arbitrary code ( and opera and Mozilla too)
>
>
>
> --------------------------------------------------------------
> --------------
> ----
>
> serious ? these if I understand correctly merely crash your
> browser nothing perticularly serious about that.
>
> Granted no browser will be without flaws so there is
> probably heaps of stuff to be found in mozilla aswell, but
> remote code execution?? I dont believe there has been a
> single flaw in netscape or mozilla that allowed you to
> execute code simply by putting together some javascript (you
> can correct me on this) even when it was the dominant browser
> and legendary guys like george guninski roamed the streets.
> Sure it will probably have stuff like overflows, nearly
> everything does
>
> but particularly ActiveX is just utterly insane and makes you
> want to bang your head against a brick wall screaming what
> the hell where they thinking

Actually, through Mozilla's history there have been quite a number of such
bugs.

Mozilla does tend to be more strict than Internet Explorer, in terms of
applying security "best practice" rules in their implementation of various
browser related RFCs -- but to assume that they are better because there are
not as many bugs found in them is folly.

The problem is that Mozilla has such a small part of the market. Internet
Explorer is 94% of the browsing market. Finding bugs in it may garner one
1000 dollars still... And there have been many such takers -- but comparing
that to the attention one gets from tackling 94% of the browsing market is
really difficult to do.

My personal stance has always been to never cast blame at software vendors.
Having worked as QA Lead and created quite a number of applications myself,
I would be a hypocrite to blame software vendors. I realize some coders do
have far fewer mistakes than others, but this does not make them good
coders. Who cares about crappy applications that have less bugs? They are
poor applications designed to be used by no one. They have no bugs but they
also have no functionality.

Do not think that I am therefore saying vendors should therefore have no
liability. They should have liability. They must improve. They have the
capability to improve.

But, a reality remains: applications like Internet Explorer will be looked
at by a massive amount of researchers. This is beyond the three QA per
developer Microsoft has... And their large teams of code auditors.

Opensource will have even better code auditing -- sometimes. But, not
always! I have worked in the opensource industry. Not many can make such a
claim. Some applications like Apache - and actually Mozilla - get really
good code auditing... But most opensource applications get little or none.

...

As far as DoS browser issues... I have always disliked these. Usually, they
are what they say -- just crashes. If you can make a system reboot, that is
more interesting... A fun gag. I have reams of these I have never reported.
They are not worth it. One should have standards. But, maybe someday I will
find them to be exploitable. Most of these are plain "null pointers" and
never will be exploitable.

Lastly, I like activex. I admit it. I like shockwave. I like shockwave
games. I like what shockwave can promise to offer. I like what activex can
promise to offer. I even like java. Hey, I am from the p2p world, partly,
and am excited still by the possibilities. This is where it is most likely
headed.

For me to say, "Bah humbug!" to such things as activex would be nostalgic.
If I want to be nostalgic, I would still be working on my TI-99/4a. I would
not be playing video games still, saying, "Bah! Asteroids was the end all of
video games!"... I would be writing database applications instead of doing
security research.

Hrrm. I wonder if I could write a browser for a TI emulator... Think of it.
BBS-- BUT BEYOND! LOL! Phone Coupler... Tape cassette... LOL...

>
>
> ----- Original Message -----
> From: "meme-boi" <meme-boi@nothotmail.org>
> To: <full-disclosure@lists.netsys.com>
> Sent: Friday, September 12, 2003 2:33 AM
> Subject: [Full-Disclosure] RE:Internet explorer 6 on windows
> XP allows exection of arbitrary code ( and opera and Mozilla too)
>
>
> > >WORKAROUND :
> >
> > >Disable active scripting or do "the sensible thing" and
> pick another
> > >>browser such as the>excellent mozilla firebird.
> >
> > Mozilla ...
> >
> > <script language="Javascript">
> > t = new Packages.sun.plugin.javascript.navig5.JSObject(1,1);
> > </script>
> >
> >
> >
> > hmmm
> >
> > or
> >
> > http://drorshalev.brinkster.net/dev/memeboi/werd.html
> >
> > Both serious issues mozilla has yet to fix.
> >
> >
> > Or we can look at Opera and conclude that no graphical browser is
> > safe:
> >
> >
> > /usr/bin/opera: line 138: 1289 Segmentation fault
> > "${BINARYDIR}/opera" "${@}" "${BINARYDIR}/opera" "${@}"
> > (gdb) /opt/opera/lib/opera/plugins/operamotifwrapper: error
> while loading
> > shared libraries: libXm.so.2: cannot open shared object
> file: No such file
> > or directory
> > (gdb) backtrace
> > #0 0x21ad4397 in waitpid () from /lib/libc.so.6
> > #1 0x080777f6 in kill_pid ()
> > #2 0x080767a3 in wait_for ()
> > #3 0x080687c6 in execute_command_internal ()
> > #4 0x0806c0a7 in execute_command ()
> > #5 0x0805d48c in reader_loop () <---murder loop
> > #6 0x0805b8a0 in main ()
> > #7 0x21a407a6 in __libc_start_main () from /lib/libc.so.6
> <--redrum lib
> > (gdb) info reg
> > eax 0xfffffe00 -512
> > ecx 0x5da26398 1570923416
> > edx 0x0 0
> > ebx 0xffffffff -1
> > esp 0x5da2635c 0x5da2635c
> > ebp 0x5da26378 0x5da26378
> > esi 0x0 0
> > edi 0xffffffff -1
> > eip 0x21ad4397 0x21ad4397
> > eflags 0x246 582
> > cs 0x23 35
> > ss 0x2b 43
> > ds 0x2b 43
> > es 0x2b 43
> > fs 0x0 0
> > gs 0x0 0
> > fctrl 0x37f 895
> > fstat 0x0 0
> > ftag 0xffff 65535
> > fiseg 0x0 0
> > fioff 0x0 0
> > foseg 0x0 0
> > fooff 0x0 0
> > fop 0x0 0
> > mxcsr 0x0 0
> > orig_eax 0x72 114
> >
> > (gdb) disass $eip-0x20 $eip+0x20
> > Dump of assembler code from 0x21ad4377 to 0x21ad43b7:
> > 0x21ad4377 <waitpid+23>: mov $0x7,%dh
> > 0x21ad4379 <waitpid+25>: add %cl,0x2b88b3(%ebx)
> > 0x21ad437f <waitpid+31>: add %cl,0xf685087d(%ebx)
> > 0x21ad4385 <waitpid+37>: jne 0x21ad43be <waitpid+94>
> > 0x21ad4387 <waitpid+39>: mov 0xc(%ebp),%ecx
> > 0x21ad438a <waitpid+42>: mov 0x10(%ebp),%edx
> > 0x21ad438d <waitpid+45>: push %ebx
> > 0x21ad438e <waitpid+46>: mov %edi,%ebx
> > 0x21ad4390 <waitpid+48>: mov $0x72,%eax
> > 0x21ad4395 <waitpid+53>: int $0x80
> > 0x21ad4397 <waitpid+55>: pop %ebx
> > 0x21ad4398 <waitpid+56>: cmp $0xfffff000,%eax
> > 0x21ad439d <waitpid+61>: mov %eax,%esi
> > 0x21ad439f <waitpid+63>: ja 0x21ad43ae <waitpid+78>
> > 0x21ad43a1 <waitpid+65>: mov %esi,%eax
> > 0x21ad43a3 <waitpid+67>: mov 0xfffffff4(%ebp),%ebx
> > 0x21ad43a6 <waitpid+70>: mov 0xfffffff8(%ebp),%esi
> > 0x21ad43a9 <waitpid+73>: mov 0xfffffffc(%ebp),%edi
> > 0x21ad43ac <waitpid+76>: leave
> > 0x21ad43ad <waitpid+77>: ret
> > 0x21ad43ae <waitpid+78>: neg %esi
> > 0x21ad43b0 <waitpid+80>: call 0x21a40980 <__errno_location>
> > 0x21ad43b5 <waitpid+85>: mov %esi,(%eax)
> >
> >
> > Time to revert to command line !
> >
> > I speak about this on the mighty bugtraq but noone listen. not even
> > friend 9or. Anyways. I have to go clean the floor at walmart.
> >
> > ninjas are bad
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Jonathan A. Zdziarski: "[Full-Disclosure] VSNL POP Webmail Referer Vulnerability"
• Next in thread: M Saqib Ilyas: "Re: [Full-Disclosure] RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too)"
• Reply: M Saqib Ilyas: "Re: [Full-Disclosure] RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]