mailing list archives
Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: patryn <patryn () schimmetje com>
Date: Mon, 08 Nov 2004 09:00:03 +0100
Berend-Jan Wever wrote:
> I hope they fixed it by accident, seeing what the other option would
Certainly puts all that jive they've been spewing to the press in a
Microsoft has begun to investigate the Iframe vulnerability and has not
been made aware of any program designed to exploit the flaw. (You'd
think they'd monitor the lists - p)
"Upon completion of this investigation, Microsoft will take the
appropriate action to protect our customers, which may include providing
a fix through our monthly release process or an out-of-cycle security
update, depending on customer needs"
"Microsoft is concerned that this new report of a vulnerability in
Internet Explorer was not disclosed responsibly, potentially putting
computer users at risk"
But then again who doesn't like to bash Redmond, I'm curious what the
"investigation" is turning up though.
Berend-Jan Wever wrote:
> Hmmm... MSDN DHTML Reference mentions 6 different flavors of the NAME
> 1) For a lot of tags like A, APPLET, IMG, INPUT, etc... this includes
> 2) FRAME, FRAMESET, IFRAME
> 3) META
> 4) namespace
> 5) PARAM
> 6) window
> I figured all the tags mentioned under 2 were affected and the rest
wasn't. Now I hear <EMBED> is also working ? Somebody might wanna go
through each and every tag to see which are affected and which aren't.
> SHDOCVW.DLL version 6.0.2800.1400 and 6.0.2800.1584 are known to be
> SHDOCVW.DLL version 6.00.2900.2518 seems to be immune to the BoF
(ships with XP PRO SP2).
> The immune version got me wondering if they knew about the bug ? If
not, did they expect the code could be buggy and just rewrote it to be
sure it was safe for SP2 ? Or was there just a code rewrite or another
reason why the bug got silently fixed...? I hope they fixed it by
accident, seeing what the other option would imply.
> ----- Original Message -----
> From: "Menashe Eliezer" <menashe () finjan com>
> To: "Berend-Jan Wever" <skylined () edup tudelft nl>;
<full-disclosure () lists netsys com>
> Sent: Sunday, November 07, 2004 23:21
> Subject: RE: [Full-disclosure] MSIE <IFRAME> and <FRAME> tag NAME
property bufferoverflow PoC exploit (was: python does mangleme (with IE
>>The published exploit is working also with the <EMBED> tag, and not just
>>with the <IFRAME> and the <FRAME> tags.
>>Finjan's advisory can be found at:
>>Senior application security architect
>>Malicious Code Research Center
>>Prevention is the best cure!
>>From: morning_wood [mailto:se_cur_ity () hotmail com]
>>Sent: Tuesday, November 02, 2004 3:44 PM
>>To: Berend-Jan Wever; full-disclosure () lists netsys com;
>>bugtraq () securityfocus com
>>Subject: Re: [Full-disclosure] MSIE <IFRAME> and <FRAME> tag NAME
>>property bufferoverflow PoC exploit (was: python does mangleme (with IE
>>bindshell success ( html run from local ) connect from remote success...
>>this is NASTY
>>if shellcode modified this will do reverse or exe drop i assume....
>>This message was scanned for malicious content and viruses by Finjan
Internet Vital Security 1Box(tm)
>>Full-Disclosure - We believe in it.
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure - We believe in it.