[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

To: Larry Seltzer <Larry@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
From: "ad@xxxxxxxxxxxxxxxx" <ad@xxxxxxxxxxxxxxxx>
Date: Mon, 02 Apr 2007 00:39:46 +0200

http://www.milw0rm.com/exploits/3634

str0ke told me to test this one and no miracle, it works under vista and 
the default DEP settings doesnt catch it.


ad@xxxxxxxxxxxxxxxx wrote:
>  From the published poc yes vista is vulnerable , the poc doesn't 
> exploit it but shows enough..
> The whole windows browser crashes when you try to open the folder of the 
> malicious .ani file,
> can't even attach it to an email because thunderbird crashes when I'm 
> browsing to attach the .ani,
> EIP is overwritten by some wrong datas near the shellcode, . To resume 
> you don't have to open the file
> on vista, displaying it is enough, there is less user interaction 
> required to exploit that bug on vista than older windows os,
>
> surprising...   ...or not =)
>  
> Larry Seltzer wrote:
>   
>>>> It is completely possible to execute shellcode if we can do some DEP
>>>>       
>>>>         
>> bypass (ie. ret2libc attack, etc..)  
>>
>> In Vista this should have problems because of ASLR, right?
>>
>> I'm beginning to think that web-based attacks with this in Vista aren't
>> really so scary. Even if you can get them to execute what can you really
>> do in IE protected mode? You need to get the user to run the ANI outside
>> of IE. Can anyone say what actually happens if you read an e-mail in the
>> Vista Mail program with an attack ANI embedded?
>>
>> Larry Seltzer
>> eWEEK.com Security Center Editor
>> http://security.eweek.com/
>> http://blog.eweek.com/blogs/larry%5Fseltzer/
>> Contributing Editor, PC Magazine
>> larryseltzer@xxxxxxxxxxxxx 
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> .
>>
>>   
>>     
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> .
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
  - From: Larry Seltzer
- Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
  - From: dev code
- Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
  - From: Larry Seltzer
- Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
  - From: ad@xxxxxxxxxxxxxxxx

Prev by Date: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Next by Date: [Full-disclosure] Severe CSRF vulnerabilities allow mail/msg spoofing in Libero.it portal
Previous by thread: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Next by thread: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow -> Its ok, its in IE Protected Mode
Index(es):
- Date
- Thread