Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))

From: Berend-Jan Wever (skylined_at_edup.tudelft.nl)
Date: 11/08/04

  • Next message: ned: "[Full-Disclosure] upnphost null pointer fun"
    To: <full-disclosure@lists.netsys.com>
    Date: Mon, 8 Nov 2004 02:14:31 +0100
    
    

    Hmmm... MSDN DHTML Reference mentions 6 different flavors of the NAME property:
    1) For a lot of tags like A, APPLET, IMG, INPUT, etc... this includes EMBED
    2) FRAME, FRAMESET, IFRAME
    3) META
    4) namespace
    5) PARAM
    6) window

    I figured all the tags mentioned under 2 were affected and the rest wasn't. Now I hear <EMBED> is also working ? Somebody might wanna go through each and every tag to see which are affected and which aren't.

    SHDOCVW.DLL version 6.0.2800.1400 and 6.0.2800.1584 are known to be vulnerable.
    SHDOCVW.DLL version 6.00.2900.2518 seems to be immune to the BoF (ships with XP PRO SP2).

    The immune version got me wondering if they knew about the bug ? If not, did they expect the code could be buggy and just rewrote it to be sure it was safe for SP2 ? Or was there just a code rewrite or another reason why the bug got silently fixed...? I hope they fixed it by accident, seeing what the other option would imply.

    Cheers,
    SkyLined

    ----- Original Message -----
    From: "Menashe Eliezer" <menashe@finjan.com>
    To: "Berend-Jan Wever" <skylined@edup.tudelft.nl>; <full-disclosure@lists.netsys.com>
    Sent: Sunday, November 07, 2004 23:21
    Subject: RE: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))

    > The published exploit is working also with the <EMBED> tag, and not just
    > with the <IFRAME> and the <FRAME> tags.
    > Finjan's advisory can be found at:
    > http://www.finjan.com/SecurityLab/AttackandExploitReports/alert_show.asp
    > ?attack_release_id=114
    >
    > ==
    > Regards,
    > Menashe Eliezer
    > Senior application security architect
    > Malicious Code Research Center
    > Finjan Software
    > http://www.finjan.com/mcrc
    >
    > Prevention is the best cure!
    >
    >
    >
    > -----Original Message-----
    > From: morning_wood [mailto:se_cur_ity@hotmail.com]
    > Sent: Tuesday, November 02, 2004 3:44 PM
    > To: Berend-Jan Wever; full-disclosure@lists.netsys.com;
    > bugtraq@securityfocus.com
    > Subject: Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME
    > property bufferoverflow PoC exploit (was: python does mangleme (with IE
    > bugs!))
    >
    > bindshell success ( html run from local ) connect from remote success...
    > this is NASTY
    > if shellcode modified this will do reverse or exe drop i assume....
    >
    > good work,
    >
    > Donnie Werner
    >
    >
    > -----------------------------------------------
    > This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: ned: "[Full-Disclosure] upnphost null pointer fun"