|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
From: Feher Tamas (etomcat
freemail.hu)
Date: Wed Feb 18 2004 - 12:50:22 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
>Now all we have to do is create a BMP with bfOffBits > 2^31,
>and we're in. cbSkip goes negative and the Read call clobbers
>the stack with our data. See attached for proof of concept.
>
>index.html has [img src=1.bmp] where 1.bmp contains
>bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
>Brings down IE5 / OE5 (tested successfully on Win98)
Kaspersky Lab's AVP (and possibly other vendors') antivirus suites now
detect the presence of this method in files by the name "Suspicion:
Exploit.IMG-BMP".
So any future worm or virus that tries to use this attack vector to inject
itself automatically should be stopped from the very first minute. Even if
it is a brand new malware.
Sincerely: Tamas Feher.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]