Re[2]: [Full-disclosure] Steve Gibson smokes crack?



Hello Georgi,

Saturday, January 14, 2006, 1:26:36 PM, you wrote:

> On Fri, Jan 13, 2006 at 05:55:17PM -0500, eric williams wrote:
>> however, the question is I gather flowing from the Gibson commentary,
>> how or what exactly causes WINE to execute the code pointed at by the
>> SetAbortProc record? Is it the "incorrect record length" is it some
>> other munged input, is it "by design" which has also been alluded to,
>> and seems to be your reference here.
>>

> http://www.grc.com/sn/SN-022.htm
> ----
> So what I found was that, when I deliberately lied about the size of this
> record and set the size to one and no other value, and I gave this particular
> byte sequence that makes no sense for a metafile, then Windows created a
> thread and jumped into my code, began executing my code.

> ...

> It turns out that the only way to get Windows to misbehave in this bizarre
> fashion is to set the length to one, which is an impossible value. I tried
> setting it to zero. It didn't trigger the exploit. I tried setting it to two,
> no effect. Three, no effect. Nothing, not even the correct length. Only one.

The claim about the length is not true.

http://it.slashdot.org/comments.pl?sid=173878&cid=14466008

Btw, somebody else in this thread already proved that.

> using invalid values to exploit a "design flaw" is "strange" at least.
> can someone comment if the claim about the length is true?





--
Best regards,
blad3 mailto:fd@xxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Windows permissions was Re: Its COBOL, Jim, but not as we know it...
    ... Windows is highly configurable; the fact that people ignore this and run ... One of the problems is also figuring out what security features ... Microsoft email can automatically execute an attachment. ... Here's a transcript from a Linux forum 4 years ago where at least one user ...
    (comp.lang.cobol)
  • Re: Its COBOL, Jim, but not as we know it...
    ... Windows is highly configurable; the fact that people ignore this and run ... It is _you_ that has improved the security, ... Microsoft email can automatically execute an attachment. ... Here's a transcript from a Linux forum 4 years ago where at least one user ...
    (comp.lang.cobol)
  • Re: [opensuse] Who said Linux doesnot get Virus infections
    ... you can execute a screen saver if you test it. ... They're under the general "viruses" tag. ... A Linux system being used to protect Windows ...
    (SuSE)
  • Re: ?? Windows Registry corrupted
    ... Enquire, plan and execute ... including System Restore. ... This PC was running Windows XP Pro. ... It appeared as if it would repair the operating system, ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Trusting and testing unknown (or unfamiliar) executables
    ... Finally you mention completely bypassing the windows kernel by using ... assembler instructions at ring zero... ... > including any file deletion or modification, and any attempt to execute ... > Ring0 assembly code which bypasses the usual Windows protection traps. ...
    (alt.comp.lang.borland-delphi)