[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: [Full-disclosure] Steve Gibson smokes crack?
- To: Georgi Guninski <guninski@xxxxxxxxxxxx>
- Subject: Re[2]: [Full-disclosure] Steve Gibson smokes crack?
- From: blad3 <fd@xxxxxxxx>
- Date: Sat, 14 Jan 2006 14:56:02 +0200
Hello Georgi,
Saturday, January 14, 2006, 1:26:36 PM, you wrote:
> On Fri, Jan 13, 2006 at 05:55:17PM -0500, eric williams wrote:
>> however, the question is I gather flowing from the Gibson commentary,
>> how or what exactly causes WINE to execute the code pointed at by the
>> SetAbortProc record? Is it the "incorrect record length" is it some
>> other munged input, is it "by design" which has also been alluded to,
>> and seems to be your reference here.
>>
> http://www.grc.com/sn/SN-022.htm
> ----
> So what I found was that, when I deliberately lied about the size of this
> record and set the size to one and no other value, and I gave this particular
> byte sequence that makes no sense for a metafile, then Windows created a
> thread and jumped into my code, began executing my code.
> ...
> It turns out that the only way to get Windows to misbehave in this bizarre
> fashion is to set the length to one, which is an impossible value. I tried
> setting it to zero. It didn't trigger the exploit. I tried setting it to two,
> no effect. Three, no effect. Nothing, not even the correct length. Only one.
The claim about the length is not true.
http://it.slashdot.org/comments.pl?sid=173878&cid=14466008
Btw, somebody else in this thread already proved that.
> using invalid values to exploit a "design flaw" is "strange" at least.
> can someone comment if the claim about the length is true?
--
Best regards,
blad3 mailto:fd@xxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/