Full Disclosure mailing list archives
RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too)
From: "Drew Copley" <dcopley () eeye com>
Date: Fri, 12 Sep 2003 14:53:29 -0700
-----Original Message----- From: jelmer jkuperus () planet nl Sent: Fri, 12 Sep 2003 14:20:59 +0200 Subject: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) -------------------------------------------------------------- -------------- ---- serious ? these if I understand correctly merely crash your browser nothing perticularly serious about that. Granted no browser will be without flaws so there is probably heaps of stuff to be found in mozilla aswell, but remote code execution?? I dont believe there has been a single flaw in netscape or mozilla that allowed you to execute code simply by putting together some javascript (you can correct me on this) even when it was the dominant browser and legendary guys like george guninski roamed the streets. Sure it will probably have stuff like overflows, nearly everything does but particularly ActiveX is just utterly insane and makes you want to bang your head against a brick wall screaming what the hell where they thinking
Actually, through Mozilla's history there have been quite a number of such bugs. Mozilla does tend to be more strict than Internet Explorer, in terms of applying security "best practice" rules in their implementation of various browser related RFCs -- but to assume that they are better because there are not as many bugs found in them is folly. The problem is that Mozilla has such a small part of the market. Internet Explorer is 94% of the browsing market. Finding bugs in it may garner one 1000 dollars still... And there have been many such takers -- but comparing that to the attention one gets from tackling 94% of the browsing market is really difficult to do. My personal stance has always been to never cast blame at software vendors. Having worked as QA Lead and created quite a number of applications myself, I would be a hypocrite to blame software vendors. I realize some coders do have far fewer mistakes than others, but this does not make them good coders. Who cares about crappy applications that have less bugs? They are poor applications designed to be used by no one. They have no bugs but they also have no functionality. Do not think that I am therefore saying vendors should therefore have no liability. They should have liability. They must improve. They have the capability to improve. But, a reality remains: applications like Internet Explorer will be looked at by a massive amount of researchers. This is beyond the three QA per developer Microsoft has... And their large teams of code auditors. Opensource will have even better code auditing -- sometimes. But, not always! I have worked in the opensource industry. Not many can make such a claim. Some applications like Apache - and actually Mozilla - get really good code auditing... But most opensource applications get little or none. ... As far as DoS browser issues... I have always disliked these. Usually, they are what they say -- just crashes. If you can make a system reboot, that is more interesting... A fun gag. I have reams of these I have never reported. They are not worth it. One should have standards. But, maybe someday I will find them to be exploitable. Most of these are plain "null pointers" and never will be exploitable. Lastly, I like activex. I admit it. I like shockwave. I like shockwave games. I like what shockwave can promise to offer. I like what activex can promise to offer. I even like java. Hey, I am from the p2p world, partly, and am excited still by the possibilities. This is where it is most likely headed. For me to say, "Bah humbug!" to such things as activex would be nostalgic. If I want to be nostalgic, I would still be working on my TI-99/4a. I would not be playing video games still, saying, "Bah! Asteroids was the end all of video games!"... I would be writing database applications instead of doing security research. Hrrm. I wonder if I could write a browser for a TI emulator... Think of it. BBS-- BUT BEYOND! LOL! Phone Coupler... Tape cassette... LOL...
----- Original Message ----- From: "meme-boi" <meme-boi () nothotmail org> To: <full-disclosure () lists netsys com> Sent: Friday, September 12, 2003 2:33 AM Subject: [Full-disclosure] RE:Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too)WORKAROUND :Disable active scripting or do "the sensible thing" andpick anotherbrowser such as the>excellent mozilla firebird.Mozilla ... <script language="Javascript"> t = new Packages.sun.plugin.javascript.navig5.JSObject(1,1); </script> hmmm or http://drorshalev.brinkster.net/dev/memeboi/werd.html Both serious issues mozilla has yet to fix. Or we can look at Opera and conclude that no graphical browser is safe: /usr/bin/opera: line 138: 1289 Segmentation fault "${BINARYDIR}/opera" "${@}" "${BINARYDIR}/opera" "${@}" (gdb) /opt/opera/lib/opera/plugins/operamotifwrapper: errorwhile loadingshared libraries: libXm.so.2: cannot open shared objectfile: No such fileor directory (gdb) backtrace #0 0x21ad4397 in waitpid () from /lib/libc.so.6 #1 0x080777f6 in kill_pid () #2 0x080767a3 in wait_for () #3 0x080687c6 in execute_command_internal () #4 0x0806c0a7 in execute_command () #5 0x0805d48c in reader_loop () <---murder loop #6 0x0805b8a0 in main () #7 0x21a407a6 in __libc_start_main () from /lib/libc.so.6<--redrum lib(gdb) info reg eax 0xfffffe00 -512 ecx 0x5da26398 1570923416 edx 0x0 0 ebx 0xffffffff -1 esp 0x5da2635c 0x5da2635c ebp 0x5da26378 0x5da26378 esi 0x0 0 edi 0xffffffff -1 eip 0x21ad4397 0x21ad4397 eflags 0x246 582 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 mxcsr 0x0 0 orig_eax 0x72 114 (gdb) disass $eip-0x20 $eip+0x20 Dump of assembler code from 0x21ad4377 to 0x21ad43b7: 0x21ad4377 <waitpid+23>: mov $0x7,%dh 0x21ad4379 <waitpid+25>: add %cl,0x2b88b3(%ebx) 0x21ad437f <waitpid+31>: add %cl,0xf685087d(%ebx) 0x21ad4385 <waitpid+37>: jne 0x21ad43be <waitpid+94> 0x21ad4387 <waitpid+39>: mov 0xc(%ebp),%ecx 0x21ad438a <waitpid+42>: mov 0x10(%ebp),%edx 0x21ad438d <waitpid+45>: push %ebx 0x21ad438e <waitpid+46>: mov %edi,%ebx 0x21ad4390 <waitpid+48>: mov $0x72,%eax 0x21ad4395 <waitpid+53>: int $0x80 0x21ad4397 <waitpid+55>: pop %ebx 0x21ad4398 <waitpid+56>: cmp $0xfffff000,%eax 0x21ad439d <waitpid+61>: mov %eax,%esi 0x21ad439f <waitpid+63>: ja 0x21ad43ae <waitpid+78> 0x21ad43a1 <waitpid+65>: mov %esi,%eax 0x21ad43a3 <waitpid+67>: mov 0xfffffff4(%ebp),%ebx 0x21ad43a6 <waitpid+70>: mov 0xfffffff8(%ebp),%esi 0x21ad43a9 <waitpid+73>: mov 0xfffffffc(%ebp),%edi 0x21ad43ac <waitpid+76>: leave 0x21ad43ad <waitpid+77>: ret 0x21ad43ae <waitpid+78>: neg %esi 0x21ad43b0 <waitpid+80>: call 0x21a40980 <__errno_location> 0x21ad43b5 <waitpid+85>: mov %esi,(%eax) Time to revert to command line ! I speak about this on the mighty bugtraq but noone listen. not even friend 9or. Anyways. I have to go clean the floor at walmart. ninjas are bad _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE:Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) meme-boi (Sep 11)
- Re: RE:Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) Jeremiah Cornelius (Sep 11)
- Re: RE:Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) jelmer (Sep 12)
- <Possible follow-ups>
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) Drew Copley (Sep 12)
- Re: RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) M Saqib Ilyas (Sep 26)
- Re: RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) Valdis . Kletnieks (Sep 30)
- Re: RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) M Saqib Ilyas (Sep 26)