Re: [Full-disclosure] Internet Explorer Ver6.0.2800.1106 vulnerability
- From: Valdis.Kletnieks@xxxxxx
- Date: Mon, 29 May 2006 16:48:34 -0400
On Mon, 29 May 2006 21:30:31 BST, Aaron Gray said:
Look at the original post and you will see there is no where to inject any
code.
Aaron
<script>
var wwidth = (window.innerWidth)?window.innerWidth:
((document.all
)?document.body.offsetWidth:null);
while (wwidth)
{
self.resizeBy(-999999, -1);
}
</script>
No *obvious* way to inject code. Don't rule out something like this working:
<script>
var exploit96 = "some long-ass string that's just printable-96 chars"
var wwidth = (window.innerWidth)?yadda yadda...
and exploit96 just happens to end up someplace interesting/useful, and
gets successfully interpreted as executable code.....
A few years ago, somebody found an interesting overflow-the-environment
bug in a lot of telnetd's. Of course, the *tough* part was the fact
that you had to cram literally 45 megabytes or so of crap down telnetd's
throat first, to get the memory layout where you needed it for when
something overflowed a buffer......
Attachment:
pgpMkQi45tOBM.pgp
Description: PGP signature
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Follow-Ups:
- References:
- Prev by Date: Re: [Full-disclosure] Internet Explorer Ver6.0.2800.1106 vulnerability
- Next by Date: Re: [Full-disclosure] Internet Explorer Ver6.0.2800.1106 vulnerability
- Previous by thread: Re: [Full-disclosure] Internet Explorer Ver6.0.2800.1106 vulnerability
- Next by thread: Re: [Full-disclosure] Internet Explorer Ver6.0.2800.1106 vulnerability
- Index(es):
