[Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
To: firstname.lastname@example.org Date: Sat, 14 Feb 2004 22:08:59 -0800
I downloaded the Microsoft source code. Easy enough. It's a lot
bigger than Linux, but there were a lot of people mirroring it and so
it didn't take long.
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS.
For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx:
// Before we read the bits, seek to the correct location in the file
while (_bmfh.bfOffBits > (unsigned)cbRead)
cbSkip = _bmfh.bfOffBits - cbRead;
if (cbSkip > 1024)
cbSkip = 1024;
if (!Read(abDummy, cbSkip))
cbRead += cbSkip;
.. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an
offset. Now all we have to do is create a BMP with bfOffBits > 2^31,
and we're in. cbSkip goes negative and the Read call clobbers the
stack with our data.
See attached for proof of concept. index.html has [img src=1.bmp]
where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
Bring it up in IE5 (tested successfully on Win98) and get
IE6 is not vulnerable, so I guess I'll get back to work. My Warhol
worm will have to wait a bit...
PROPS TO the Fort and HAVE IT BE YOU.
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
Promote security and make money with the Hushmail Affiliate Program:
Full-Disclosure - We believe in it.
- text/html attachment: index.html
- application/octet-stream attachment: 1.bmp