Full Disclosure mailing list archives

Re: RE:Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too)

From: jelmer <jkuperus () planet nl>
Date: Fri, 12 Sep 2003 14:20:59 +0200

serious ? these if I understand correctly merely crash your browser nothing
perticularly serious about that.

Granted no browser will be without flaws so there is  probably heaps of
stuff to be found in mozilla aswell, but remote code execution??
I dont believe there has been a single flaw in netscape or mozilla that
allowed you to execute code simply by putting together some javascript
(you can correct me on this) even when it was the dominant browser and
legendary guys like george guninski roamed the streets.
Sure it will probably have stuff like overflows, nearly everything does

but particularly ActiveX is just utterly insane and makes you want to bang
your head against a brick wall screaming what the hell where they thinking


----- Original Message ----- 
From: "meme-boi" <meme-boi () nothotmail org>
To: <full-disclosure () lists netsys com>
Sent: Friday, September 12, 2003 2:33 AM
Subject: [Full-disclosure] RE:Internet explorer 6 on windows XP allows
exection of arbitrary code ( and opera and Mozilla too)

WORKAROUND :

Disable active scripting or do "the sensible thing" and pick another

browser such as the>excellent mozilla firebird.


Mozilla ...

<script language="Javascript">
t = new Packages.sun.plugin.javascript.navig5.JSObject(1,1);
</script>



hmmm

or

http://drorshalev.brinkster.net/dev/memeboi/werd.html

Both serious issues mozilla has yet to fix.


Or we can look at Opera and conclude that no graphical browser is safe:


/usr/bin/opera: line 138:  1289 Segmentation fault
"${BINARYDIR}/opera" "${@}"
"${BINARYDIR}/opera" "${@}"
(gdb) /opt/opera/lib/opera/plugins/operamotifwrapper: error while loading
shared libraries: libXm.so.2: cannot open shared object file: No such file
or directory
(gdb) backtrace
#0  0x21ad4397 in waitpid () from /lib/libc.so.6
#1  0x080777f6 in kill_pid ()
#2  0x080767a3 in wait_for ()
#3  0x080687c6 in execute_command_internal ()
#4  0x0806c0a7 in execute_command ()
#5  0x0805d48c in reader_loop ()   <---murder loop
#6  0x0805b8a0 in main ()
#7  0x21a407a6 in __libc_start_main () from /lib/libc.so.6 <--redrum lib
(gdb) info reg
eax            0xfffffe00       -512
ecx            0x5da26398       1570923416
edx            0x0      0
ebx            0xffffffff       -1
esp            0x5da2635c       0x5da2635c
ebp            0x5da26378       0x5da26378
esi            0x0      0
edi            0xffffffff       -1
eip            0x21ad4397       0x21ad4397
eflags         0x246    582
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
mxcsr          0x0      0
orig_eax       0x72     114

(gdb) disass $eip-0x20 $eip+0x20
Dump of assembler code from 0x21ad4377 to 0x21ad43b7:
0x21ad4377 <waitpid+23>:        mov    $0x7,%dh
0x21ad4379 <waitpid+25>:        add    %cl,0x2b88b3(%ebx)
0x21ad437f <waitpid+31>:        add    %cl,0xf685087d(%ebx)
0x21ad4385 <waitpid+37>:        jne    0x21ad43be <waitpid+94>
0x21ad4387 <waitpid+39>:        mov    0xc(%ebp),%ecx
0x21ad438a <waitpid+42>:        mov    0x10(%ebp),%edx
0x21ad438d <waitpid+45>:        push   %ebx
0x21ad438e <waitpid+46>:        mov    %edi,%ebx
0x21ad4390 <waitpid+48>:        mov    $0x72,%eax
0x21ad4395 <waitpid+53>:        int    $0x80
0x21ad4397 <waitpid+55>:        pop    %ebx
0x21ad4398 <waitpid+56>:        cmp    $0xfffff000,%eax
0x21ad439d <waitpid+61>:        mov    %eax,%esi
0x21ad439f <waitpid+63>:        ja     0x21ad43ae <waitpid+78>
0x21ad43a1 <waitpid+65>:        mov    %esi,%eax
0x21ad43a3 <waitpid+67>:        mov    0xfffffff4(%ebp),%ebx
0x21ad43a6 <waitpid+70>:        mov    0xfffffff8(%ebp),%esi
0x21ad43a9 <waitpid+73>:        mov    0xfffffffc(%ebp),%edi
0x21ad43ac <waitpid+76>:        leave
0x21ad43ad <waitpid+77>:        ret
0x21ad43ae <waitpid+78>:        neg    %esi
0x21ad43b0 <waitpid+80>:        call   0x21a40980 <__errno_location>
0x21ad43b5 <waitpid+85>:        mov    %esi,(%eax)


Time to revert to command line !

I speak about this on the mighty bugtraq but noone listen. not even friend
9or.
Anyways. I have to go clean the floor at walmart.

ninjas are bad



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE:Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) meme-boi (Sep 11)
- Re: RE:Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) Jeremiah Cornelius (Sep 11)
- Re: RE:Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) jelmer (Sep 12)
- <Possible follow-ups>
- RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) Drew Copley (Sep 12)
  - Re: RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) M Saqib Ilyas (Sep 26)
    - Re: RE: Internet explorer 6 on windows XP allows exection of arbitrary code ( and opera and Mozilla too) Valdis . Kletnieks (Sep 30)