Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

From: KF (dotslash_at_snosoft.com)
Date: 02/15/04

Next message: Exibar: "[Full-Disclosure] Microsoft source code "leak""

Previous message: Lee: "Re: [Full-Disclosure] http://federalpolice.com:article872@1075686747"
In reply to: gta_at_hush.com: "[Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
Next in thread: KF: "Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
Reply: KF: "Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
Reply: morning_wood: "Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
Reply: Steve Wray: "RE: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Sun, 15 Feb 2004 12:58:35 -0500

Man ... those voices in my head... they keep screaming "DMCA"!
-KF

gta@hush.com wrote:
> I downloaded the Microsoft source code. Easy enough. It's a lot
> bigger than Linux, but there were a lot of people mirroring it and so
> it didn't take long.
>
> Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS.
> For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx:
>
> // Before we read the bits, seek to the correct location in the file
> while (_bmfh.bfOffBits > (unsigned)cbRead)
> {
> BYTE abDummy[1024];
> int cbSkip;
>
> cbSkip = _bmfh.bfOffBits - cbRead;
>
> if (cbSkip > 1024)
> cbSkip = 1024;
>
> if (!Read(abDummy, cbSkip))
> goto Cleanup;
>
> cbRead += cbSkip;
> }
>
> .. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an
> offset. Now all we have to do is create a BMP with bfOffBits > 2^31,
>
> and we're in. cbSkip goes negative and the Read call clobbers the
> stack with our data.
>
> See attached for proof of concept. index.html has [img src=1.bmp]
> where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
> Bring it up in IE5 (tested successfully on Win98) and get
> EIP=0x44332211.
>
> IE6 is not vulnerable, so I guess I'll get back to work. My Warhol
> worm will have to wait a bit...
>
> .gta
> PROPS TO the Fort and HAVE IT BE YOU.
>
>
>
> ------------------------------------------------------------------------
>
>
> Hello
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Exibar: "[Full-Disclosure] Microsoft source code "leak""

Previous message: Lee: "Re: [Full-Disclosure] http://federalpolice.com:article872@1075686747"
In reply to: gta_at_hush.com: "[Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
Next in thread: KF: "Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
Reply: KF: "Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
Reply: morning_wood: "Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
Reply: Steve Wray: "RE: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]