Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Michal Majchrowicz (m.majchrowiczgmail.com)
Date: Tue Apr 10 2007 - 04:01:59 CDT
One thing to add about IE protected mode and all that stuff:
We get shell (in ie protected mode) using ani vulnerability.
Go to the IE temporary directory. It must have write access there :)
Then we use this: http://www.securityfocus.com/bid/23278
And we have SYSTEM access :)
On 4/8/07, wac <waldoalvarez00gmail.com> wrote:
> Firefox 126.96.36.199 (at least in windows) *seems to be vulnerable*. I don't
> remember exactly what it did but it behaved in a strange way I believe some
> file handle was left open and had to kill it the hard way. I don't know what
> they say in the docs but if it ends up calling the user32 function and
> that's all it takes to trigger the bug. I was taking a peek at it's import
> tables and It imports from User32 the function LoadCursorA maybe that could
> be the guilty one.
> anyway test here and see what happens (that link is from dev code)
> I'm not vulnerable anymore since quite some time ;) and I don't have much
> time to test right now
> On 4/8/07, Michal Majchrowicz <m.majchrowiczgmail.com> wrote:
> > Hi.
> > There are more and more reports about FF and ani vulnerability.
> > There was already a presentation of working exploit.
> > The thing starts to annoy me and since I am far away from any windows
> > I wanted to share some of my speculations.
> > According to docs two things are obvious:
> > 1) Firefox doesn't support ANI cursors
> > 2) ANI is just few cur cursors packed together and presented as an
> > So i have three possible ways of exploiting it:
> > 1) Since ANI files are vulnerable then maybe cur files are also
> > vulnerable. Firefox does support CUR files.
> > 2) If firefox doesn't support ANI files it only means it doesn't
> > render them. It doesn't mean it will not acept them in any way:)
> > 3) Maybe it is possible to rename foo.ani and rename it to foo.cur.
> > Then FF will call win api with this cursor. Windows API will recognize
> > this as ANI file and call vulnerable function .
> > As I said before these are just speculation. I hope someone will be
> > able to confirm or prove that some of them (or all) have no sense.
> > Happy Easter to everyone.
> > Regards Michal.
> > On 4/4/07, Peter Ferrie <pferriesymantec.com> wrote:
> > > >That's correct, Firefox doesn't support ANI files for cursors.
> > >
> > > Right, and it doesn't need to, because cursors are not the only way to
> reach the vulnerable code.
> > > Icons can do it, too.
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/