Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: patryn <patryn () schimmetje com>
Date: Mon, 08 Nov 2004 09:00:03 +0100

Berend-Jan Wever wrote:
> I hope they fixed it by accident, seeing what the other option would imply.

Certainly puts all that jive they've been spewing to the press in a different perspective.

Microsoft has begun to investigate the Iframe vulnerability and has not been made aware of any program designed to exploit the flaw. (You'd think they'd monitor the lists - p)

"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs"

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk"

http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html

But then again who doesn't like to bash Redmond, I'm curious what the "investigation" is turning up though.

patryn


Berend-Jan Wever wrote:
> Hmmm... MSDN DHTML Reference mentions 6 different flavors of the NAME property: > 1) For a lot of tags like A, APPLET, IMG, INPUT, etc... this includes EMBED
> 2) FRAME, FRAMESET, IFRAME
> 3) META
> 4) namespace
> 5) PARAM
> 6) window
>
> I figured all the tags mentioned under 2 were affected and the rest wasn't. Now I hear <EMBED> is also working ? Somebody might wanna go through each and every tag to see which are affected and which aren't.
>
> SHDOCVW.DLL version 6.0.2800.1400 and 6.0.2800.1584 are known to be vulnerable. > SHDOCVW.DLL version 6.00.2900.2518 seems to be immune to the BoF (ships with XP PRO SP2).
>
> The immune version got me wondering if they knew about the bug ? If not, did they expect the code could be buggy and just rewrote it to be sure it was safe for SP2 ? Or was there just a code rewrite or another reason why the bug got silently fixed...? I hope they fixed it by accident, seeing what the other option would imply.
>
> Cheers,
> SkyLined
>
> ----- Original Message -----
> From: "Menashe Eliezer" <menashe () finjan com>
> To: "Berend-Jan Wever" <skylined () edup tudelft nl>; <full-disclosure () lists netsys com>
> Sent: Sunday, November 07, 2004 23:21
> Subject: RE: [Full-disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
>
>
>
>>The published exploit is working also with the <EMBED> tag, and not just
>>with the <IFRAME> and  the <FRAME> tags.
>>Finjan's advisory can be found at:
>>http://www.finjan.com/SecurityLab/AttackandExploitReports/alert_show.asp
>>?attack_release_id=114
>>
>>==
>>Regards,
>>Menashe Eliezer
>>Senior application security architect
>>Malicious Code Research Center
>>Finjan Software
>>http://www.finjan.com/mcrc
>>
>>Prevention is the best cure!
>>
>>
>>
>>-----Original Message-----
>>From: morning_wood [mailto:se_cur_ity () hotmail com]
>>Sent: Tuesday, November 02, 2004 3:44 PM
>>To: Berend-Jan Wever; full-disclosure () lists netsys com;
>>bugtraq () securityfocus com
>>Subject: Re: [Full-disclosure] MSIE <IFRAME> and <FRAME> tag NAME
>>property bufferoverflow PoC exploit (was: python does mangleme (with IE
>>bugs!))
>>
>>bindshell success ( html run from local ) connect from remote success...
>>this is NASTY
>>if shellcode modified this will do reverse or exe drop i assume....
>>
>>good work,
>>
>>Donnie Werner
>>
>>
>>-----------------------------------------------
>>This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault