Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: "Berend-Jan Wever" <skylined () edup tudelft nl>
Date: Mon, 8 Nov 2004 02:14:31 +0100

Hmmm... MSDN DHTML Reference mentions 6 different flavors of the NAME property:
1) For a lot of tags like A, APPLET, IMG, INPUT, etc... this includes EMBED
2) FRAME, FRAMESET, IFRAME
3) META
4) namespace
5) PARAM
6) window

I figured all the tags mentioned under 2 were affected and the rest wasn't. Now I hear <EMBED> is also working ? 
Somebody might wanna go through each and every tag to see which are affected and which aren't.

SHDOCVW.DLL version 6.0.2800.1400 and 6.0.2800.1584 are known to be vulnerable.
SHDOCVW.DLL version 6.00.2900.2518 seems to be immune to the BoF (ships with XP PRO SP2).

The immune version got me wondering if they knew about the bug ? If not, did they expect the code could be buggy and 
just rewrote it to be sure it was safe for SP2 ? Or was there just a code rewrite or another reason why the bug got 
silently fixed...? I hope they fixed it by accident, seeing what the other option would imply.

Cheers,
SkyLined

----- Original Message ----- 
From: "Menashe Eliezer" <menashe () finjan com>
To: "Berend-Jan Wever" <skylined () edup tudelft nl>; <full-disclosure () lists netsys com>
Sent: Sunday, November 07, 2004 23:21
Subject: RE: [Full-disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does 
mangleme (with IE bugs!))


The published exploit is working also with the <EMBED> tag, and not just
with the <IFRAME> and  the <FRAME> tags.
Finjan's advisory can be found at:
http://www.finjan.com/SecurityLab/AttackandExploitReports/alert_show.asp
?attack_release_id=114

==
Regards,
Menashe Eliezer
Senior application security architect
Malicious Code Research Center
Finjan Software
http://www.finjan.com/mcrc
 
Prevention is the best cure!
 


-----Original Message-----
From: morning_wood [mailto:se_cur_ity () hotmail com] 
Sent: Tuesday, November 02, 2004 3:44 PM
To: Berend-Jan Wever; full-disclosure () lists netsys com;
bugtraq () securityfocus com
Subject: Re: [Full-disclosure] MSIE <IFRAME> and <FRAME> tag NAME
property bufferoverflow PoC exploit (was: python does mangleme (with IE
bugs!))

bindshell success ( html run from local ) connect from remote success...
this is NASTY
if shellcode modified this will do reverse or exe drop i assume....

good work,

Donnie Werner


-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]