RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too)

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: jelmer jkuperus () planet nl
> Sent: Fri, 12 Sep 2003 14:20:59 +0200 
> Subject: Internet explorer 6 on windows XP allows exection of 
> arbitrary code ( and opera and Mozilla too) 
>
>
>
> --------------------------------------------------------------
> --------------
> ----
>
> serious ? these if I understand correctly merely crash your
> browser nothing perticularly serious about that.
>
> Granted no browser will be without flaws so there is
> probably heaps of stuff to be found in mozilla aswell, but 
> remote code execution?? I dont believe there has been a 
> single flaw in netscape or mozilla that allowed you to 
> execute code simply by putting together some javascript (you 
> can correct me on this) even when it was the dominant browser 
> and legendary guys like george guninski roamed the streets. 
> Sure it will probably have stuff like overflows, nearly 
> everything does
>
> but particularly ActiveX is just utterly insane and makes you
> want to bang your head against a brick wall screaming what 
> the hell where they thinking

Actually, through Mozilla's history there have been quite a number of such
bugs. 

Mozilla does tend to be more strict than Internet Explorer, in terms of
applying security "best practice" rules in their implementation of various
browser related RFCs -- but to assume that they are better because there are
not as many bugs found in them is folly.

The problem is that Mozilla has such a small part of the market. Internet
Explorer is 94% of the browsing market. Finding bugs in it may garner one
1000 dollars still... And there have been many such takers -- but comparing
that to the attention one gets from tackling 94% of the browsing market is
really difficult to do.

My personal stance has always been to never cast blame at software vendors.
Having worked as QA Lead and created quite a number of applications myself,
I would be a hypocrite to blame software vendors. I realize some coders do
have far fewer mistakes than others, but this does not make them good
coders. Who cares about crappy applications that have less bugs? They are
poor applications designed to be used by no one. They have no bugs but they
also have no functionality.

Do not think that I am therefore saying vendors should therefore have no
liability. They should have liability. They must improve. They have the
capability to improve. 

But, a reality remains: applications like Internet Explorer will be looked
at by a massive amount of researchers. This is beyond the three QA per
developer Microsoft has... And their large teams of code auditors.

Opensource will have even better code auditing -- sometimes. But, not
always! I have worked in the opensource industry. Not many can make such a
claim. Some applications like Apache - and actually Mozilla - get really
good code auditing... But most opensource applications get little or none.

...

As far as DoS browser issues... I have always disliked these. Usually, they
are what they say -- just crashes. If you can make a system reboot, that is
more interesting... A fun gag. I have reams of these I have never reported.
They are not worth it. One should have standards. But, maybe someday I will
find them to be exploitable. Most of these are plain "null pointers" and
never will be exploitable.

Lastly, I like activex. I admit it. I like shockwave. I like shockwave
games. I like what shockwave can promise to offer. I like what activex can
promise to offer. I even like java. Hey, I am from the p2p world, partly,
and am excited still by the possibilities. This is where it is most likely
headed. 

For me to say, "Bah humbug!" to such things as activex would be nostalgic.
If I want to be nostalgic, I would still be working on my TI-99/4a. I would
not be playing video games still, saying, "Bah! Asteroids was the end all of
video games!"... I would be writing database applications instead of doing
security research.

Hrrm. I wonder if I could write a browser for a TI emulator... Think of it.
BBS-- BUT BEYOND! LOL! Phone Coupler... Tape cassette... LOL...


> ----- Original Message -----
> From: "meme-boi" <meme-boi () nothotmail org>
> To: <full-disclosure () lists netsys com>
> Sent: Friday, September 12, 2003 2:33 AM
> Subject: [Full-disclosure] RE:Internet explorer 6 on windows 
> XP allows exection of arbitrary code ( and opera and Mozilla too)
>
>
> > > WORKAROUND :
> >
> > > Disable active scripting or do "the sensible thing" and
> pick another
> > > > browser such as the>excellent mozilla firebird.
> >
> > Mozilla ...
> >
> > <script language="Javascript">
> > t = new Packages.sun.plugin.javascript.navig5.JSObject(1,1);
> > </script>
> >
> >
> >
> > hmmm
> >
> > or
> >
> > http://drorshalev.brinkster.net/dev/memeboi/werd.html
> >
> > Both serious issues mozilla has yet to fix.
> >
> >
> > Or we can look at Opera and conclude that no graphical browser is
> > safe:
> >
> >
> > /usr/bin/opera: line 138:  1289 Segmentation fault
> > "${BINARYDIR}/opera" "${@}" "${BINARYDIR}/opera" "${@}"
> > (gdb) /opt/opera/lib/opera/plugins/operamotifwrapper: error 
> while loading
> > shared libraries: libXm.so.2: cannot open shared object
> file: No such file
> > or directory
> > (gdb) backtrace
> > #0  0x21ad4397 in waitpid () from /lib/libc.so.6
> > #1  0x080777f6 in kill_pid ()
> > #2  0x080767a3 in wait_for ()
> > #3  0x080687c6 in execute_command_internal ()
> > #4  0x0806c0a7 in execute_command ()
> > #5  0x0805d48c in reader_loop ()   <---murder loop
> > #6  0x0805b8a0 in main ()
> > #7  0x21a407a6 in __libc_start_main () from /lib/libc.so.6
> <--redrum lib
> > (gdb) info reg
> > eax            0xfffffe00       -512
> > ecx            0x5da26398       1570923416
> > edx            0x0      0
> > ebx            0xffffffff       -1
> > esp            0x5da2635c       0x5da2635c
> > ebp            0x5da26378       0x5da26378
> > esi            0x0      0
> > edi            0xffffffff       -1
> > eip            0x21ad4397       0x21ad4397
> > eflags         0x246    582
> > cs             0x23     35
> > ss             0x2b     43
> > ds             0x2b     43
> > es             0x2b     43
> > fs             0x0      0
> > gs             0x0      0
> > fctrl          0x37f    895
> > fstat          0x0      0
> > ftag           0xffff   65535
> > fiseg          0x0      0
> > fioff          0x0      0
> > foseg          0x0      0
> > fooff          0x0      0
> > fop            0x0      0
> > mxcsr          0x0      0
> > orig_eax       0x72     114
> >
> > (gdb) disass $eip-0x20 $eip+0x20
> > Dump of assembler code from 0x21ad4377 to 0x21ad43b7:
> > 0x21ad4377 <waitpid+23>:        mov    $0x7,%dh
> > 0x21ad4379 <waitpid+25>:        add    %cl,0x2b88b3(%ebx)
> > 0x21ad437f <waitpid+31>:        add    %cl,0xf685087d(%ebx)
> > 0x21ad4385 <waitpid+37>:        jne    0x21ad43be <waitpid+94>
> > 0x21ad4387 <waitpid+39>:        mov    0xc(%ebp),%ecx
> > 0x21ad438a <waitpid+42>:        mov    0x10(%ebp),%edx
> > 0x21ad438d <waitpid+45>:        push   %ebx
> > 0x21ad438e <waitpid+46>:        mov    %edi,%ebx
> > 0x21ad4390 <waitpid+48>:        mov    $0x72,%eax
> > 0x21ad4395 <waitpid+53>:        int    $0x80
> > 0x21ad4397 <waitpid+55>:        pop    %ebx
> > 0x21ad4398 <waitpid+56>:        cmp    $0xfffff000,%eax
> > 0x21ad439d <waitpid+61>:        mov    %eax,%esi
> > 0x21ad439f <waitpid+63>:        ja     0x21ad43ae <waitpid+78>
> > 0x21ad43a1 <waitpid+65>:        mov    %esi,%eax
> > 0x21ad43a3 <waitpid+67>:        mov    0xfffffff4(%ebp),%ebx
> > 0x21ad43a6 <waitpid+70>:        mov    0xfffffff8(%ebp),%esi
> > 0x21ad43a9 <waitpid+73>:        mov    0xfffffffc(%ebp),%edi
> > 0x21ad43ac <waitpid+76>:        leave
> > 0x21ad43ad <waitpid+77>:        ret
> > 0x21ad43ae <waitpid+78>:        neg    %esi
> > 0x21ad43b0 <waitpid+80>:        call   0x21a40980 <__errno_location>
> > 0x21ad43b5 <waitpid+85>:        mov    %esi,(%eax)
> >
> >
> > Time to revert to command line !
> >
> > I speak about this on the mighty bugtraq but noone listen. not even
> > friend 9or. Anyways. I have to go clean the floor at walmart.
> >
> > ninjas are bad
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html