Home page logo

dailydave logo Dailydave mailing list archives

GIFs of Cats
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 12 Sep 2013 15:06:24 -0400

GIFs. We love them. And we love them giving us remote code execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3174>even more
than we love them showing us how to escape from jail

The last CANVAS release (the base release, since I also consider the
VulnDisco, D2, SCADA+, etc. exploit packs  as releases!) has a working
exploit for the July Microsoft Patch Tuesday DirectShow GIF bug. (I hate
it when people refer to things as the CVE - like you have those all

The current exploit supports IE8 only, but on Windows 7 and XP (known in
the exploit community as the "Microsoft OS's with market share" :>). We
started this exploit thinking it would be a nice easy exercise, and then
it turned into the exploit from hell. But it is finally done! Well. An
exploit is never truly done. For example "with minor amounts of work"
this exploit can be ported over to IE9 and 10 from IE8. And then you ask
"Can it work within Silverlight? and get back "Maybe..."

So you can spend years on a simple client-side if it's worth it to you,
or simply as performance art. In this particular case, it takes a while
to figure out how to even reach the vulnerability from IE, as opposed to
from "Media Player Classic", which is what the POC runs inside.

In any case, we hope those of you with CANVAS (which is all of you,
right?) test it out and let us know how well it works for you in your
environment. Always curious to see where this kind of work gets you in
the "reach out and touch someone" sense!


Attachment: signature.asc
Description: OpenPGP digital signature

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
  • GIFs of Cats Dave Aitel (Sep 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]