Full Disclosure mailing list archives
Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: patryn <patryn () schimmetje com>
Date: Mon, 08 Nov 2004 09:00:03 +0100
Berend-Jan Wever wrote:> I hope they fixed it by accident, seeing what the other option would imply.
Certainly puts all that jive they've been spewing to the press in a different perspective.
Microsoft has begun to investigate the Iframe vulnerability and has not been made aware of any program designed to exploit the flaw. (You'd think they'd monitor the lists - p)
"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs"
"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk"
http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.htmlBut then again who doesn't like to bash Redmond, I'm curious what the "investigation" is turning up though.
patryn Berend-Jan Wever wrote:> Hmmm... MSDN DHTML Reference mentions 6 different flavors of the NAME property: > 1) For a lot of tags like A, APPLET, IMG, INPUT, etc... this includes EMBED
> 2) FRAME, FRAMESET, IFRAME > 3) META > 4) namespace > 5) PARAM > 6) window >> I figured all the tags mentioned under 2 were affected and the rest wasn't. Now I hear <EMBED> is also working ? Somebody might wanna go through each and every tag to see which are affected and which aren't.
>> SHDOCVW.DLL version 6.0.2800.1400 and 6.0.2800.1584 are known to be vulnerable. > SHDOCVW.DLL version 6.00.2900.2518 seems to be immune to the BoF (ships with XP PRO SP2).
>> The immune version got me wondering if they knew about the bug ? If not, did they expect the code could be buggy and just rewrote it to be sure it was safe for SP2 ? Or was there just a code rewrite or another reason why the bug got silently fixed...? I hope they fixed it by accident, seeing what the other option would imply.
> > Cheers, > SkyLined > > ----- Original Message ----- > From: "Menashe Eliezer" <menashe () finjan com>> To: "Berend-Jan Wever" <skylined () edup tudelft nl>; <full-disclosure () lists netsys com>
> Sent: Sunday, November 07, 2004 23:21> Subject: RE: [Full-disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
> > > >>The published exploit is working also with the <EMBED> tag, and not just >>with the <IFRAME> and the <FRAME> tags. >>Finjan's advisory can be found at: >>http://www.finjan.com/SecurityLab/AttackandExploitReports/alert_show.asp >>?attack_release_id=114 >> >>== >>Regards, >>Menashe Eliezer >>Senior application security architect >>Malicious Code Research Center >>Finjan Software >>http://www.finjan.com/mcrc >> >>Prevention is the best cure! >> >> >> >>-----Original Message----- >>From: morning_wood [mailto:se_cur_ity () hotmail com] >>Sent: Tuesday, November 02, 2004 3:44 PM >>To: Berend-Jan Wever; full-disclosure () lists netsys com; >>bugtraq () securityfocus com >>Subject: Re: [Full-disclosure] MSIE <IFRAME> and <FRAME> tag NAME >>property bufferoverflow PoC exploit (was: python does mangleme (with IE >>bugs!)) >> >>bindshell success ( html run from local ) connect from remote success... >>this is NASTY >>if shellcode modified this will do reverse or exe drop i assume.... >> >>good work, >> >>Donnie Werner >> >> >>----------------------------------------------->>This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)
>> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.netsys.com/full-disclosure-charter.html >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 01)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) morning_wood (Nov 02)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Georgi Guninski (Nov 09)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) pachiderme pachiderme (Nov 09)
- <Possible follow-ups>
- RE: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Menashe Eliezer (Nov 07)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 07)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) patryn (Nov 08)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Valdis . Kletnieks (Nov 08)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Jim Geovedi (Nov 09)
- Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Berend-Jan Wever (Nov 07)