[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
From: Feher Tamas <etomcat@freemail.hu>
Date: Wed, 18 Feb 2004 19:50:22 +0100 (CET)

Hello,

>Now all we have to do is create a BMP with bfOffBits > 2^31,
>and we're in. cbSkip goes negative and the Read call clobbers
>the stack with our data. See attached for proof of concept.
>
>index.html has [img src=1.bmp] where 1.bmp contains 
>bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
>Brings down IE5 / OE5 (tested successfully on Win98)

Kaspersky Lab's AVP (and possibly other vendors') antivirus suites now 
detect the presence of this method in files by the name "Suspicion: 
Exploit.IMG-BMP".

So any future worm or virus that tries to use this attack vector to inject 
itself automatically should be stopped from the very first minute. Even if 
it is a brand new malware.

Sincerely: Tamas Feher.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] Windows 98 vulnerable to ASN.1
Next by Date: [Full-Disclosure] Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
Previous by thread: Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
Next by thread: [Full-Disclosure] Buffer overflow in mnoGoSearch
Index(es):
- Date
- Thread