[Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-09 Thread Tavis Ormandy 
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly


Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp", 
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.

Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
centre application. This flag switches the help centre into a restricted mode,
which will only permit a whitelisted set of help documents and parameters.

This design, introduced in SP2, is reasonably sound. A whitelist of trusted
documents is a safe way of allowing interaction with the documentation from
less-trusted sources. Unfortunately, an implementation error in the whitelist
allows it to be evaded.

URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.

.text:0106684C Unescape:
.text:0106684Ccmp di, '%'  ; di contains the current 
wchar in the input URL.
.text:01066850jnz short LiteralChar; if this is not a '%', it 
must be a literal character.
.text:01066852pushesi  ; esi contains a pointer to 
the current position in URL to unescape.
.text:01066853callds:wcslen; find the remaining length.
.text:01066859cmp word ptr [esi], 'u'  ; if the next wchar is 'u', 
this is a unicode escape and I need 4 xdigits.
.text:0106685Dpop ecx  ; this sequence calculates 
the number of wchars needed (4 or 2).
.text:0106685Esetzcl   ; i.e. %u (four needed), 
or %XX (two needed).
.text:01066861mov dl, cl
.text:01066863neg dl
.text:01066865sbb edx, edx
.text:01066867and edx, 3
.text:0106686Ainc edx
.text:0106686Binc edx
.text:0106686Ccmp eax, edx ; test if I have enough 
characters in input to decode.
.text:0106686Ejl  short LiteralChar; if not enough, this '%' is 
considered literal.
.text:01066870testcl, cl
.text:01066872movzx   eax, word ptr [esi+2]
.text:01066876pusheax
.text:01066877jz  short NotUnicode
.text:01066879callHexToNum ; call MPC::HexToNum() to 
convert this nibble (4 bits) to an integer.
.text:0106687Emov edi, eax ; edi contains the running 
total of the value of this escape sequence.
.text:01066880movzx   eax, word ptr [esi+4]
.text:01066884pusheax
.text:01066885shl edi, 4   ; shift edi left 4 positions 
to make room for the next digit, i.e. total <<= 4;
.text:01066888callHexToNum 
.text:0106688Dor  edi, eax ; or the next value into the 
4-bit gap, i.e. total |= val.
.text:0106688Fmovzx   eax, word ptr [esi+6]; this process continues for 
the remaining wchars.
.text:01066893pusheax
.text:01066894shl edi, 4
.text:01066897callHexToNum
.text:0106689Cor  edi, eax
.text:0106689Emovzx   eax, word ptr [esi+8]
.text:010668A2pusheax
.text:010668A3shl edi, 4
.text:010668A6callHexToNum
.text:010668ABor  edi, eax
.text:010668ADadd esi, 0Ah  ; account for number of 
bytes (not chars) consumed by the escape.
.text:010668B0jmp short FinishedEscape
.text:010668B2
.text:010668B2 NotUnicode: 
.text:010668B2callHexToNum ; this is the same code, but 
for non-unicode sequences (e.g. %41, instead of %u0041)
.text:010668B7mov edi, eax
.text:010668B9movzx   eax, word ptr [esi]
.text:010668BCpusheax
.text:010668BDcallHexToNum
.text:010668C2shl eax, 4
.text:010668C5or  edi, eax
.text:010668C7add esi, 4   ; account for number of 
bytes (not chars) consumed by the escape.
.text:010668CA
.text:010668CA FinishedEscape:
.text:010668CAtestdi, di
.text:010668CDjz  short loc_10668DA
.text:010668CF
.text:010668CF LiteralChar:
.text:010668CFpushedi  ; append the final value to 
the normalised string using a std::string append.
.text:010668D0mov ecx, [ebp+unescaped]
.text:010668D3push1
.text:010668D5callstd::string::append
.text:

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-10 Thread Susan Bradley 
I'm not an enterprise customer, but I am a mouthy female. So here's my 
question back to you, for my education, how exactly did MSRC contact you 
back? 

Since June 5th have you tried emailing back or any of your contacts from 
past interactions and asked what was up?  I'm disappointed in this lack 
of communication I see on both sides.  You are ...well... Tavis 
Ormandy... I seriously doubt MSRC is blowing you off here.

Keep in mind we just had a LARGE patch week to deal with.  I don't know 
what was going on on their side, nor making excuses as I don't know what 
communication you've had in the past and had on this issue ... I'm just 
saying I would have spent a little more time getting mad at them and 
sent a lot more emails back to them before posting this.

(And try dealing with Microsoft licensing sometime if you think security 
communication is lacking)

Tavis Ormandy wrote:
> Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
> 
>
> Help and Support Centre is the default application provided to access online
> documentation for Microsoft Windows. Microsoft supports accessing help 
> documents
> directly via URLs by installing a protocol handler for the scheme "hcp", 
> a typical example is provided in the Windows XP Command Line Reference,
> available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
>
> Using hcp:// URLs is intended to be safe, as when invoked via the registered
> protocol handler the command line parameter /fromhcp is passed to the help
> centre application. This flag switches the help centre into a restricted mode,
> which will only permit a whitelisted set of help documents and parameters.
>
> This design, introduced in SP2, is reasonably sound. A whitelist of trusted
> documents is a safe way of allowing interaction with the documentation from
> less-trusted sources. Unfortunately, an implementation error in the whitelist
> allows it to be evaded.
>
> URLs are normalised and unescaped prior to validation using
> MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
> escape sequences into their original characters, the relevant code from
> helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
>
> .text:0106684C Unescape:
> .text:0106684Ccmp di, '%'  ; di contains the current 
> wchar in the input URL.
> .text:01066850jnz short LiteralChar; if this is not a '%', it 
> must be a literal character.
> .text:01066852pushesi  ; esi contains a pointer 
> to the current position in URL to unescape.
> .text:01066853callds:wcslen; find the remaining 
> length.
> .text:01066859cmp word ptr [esi], 'u'  ; if the next wchar is 
> 'u', this is a unicode escape and I need 4 xdigits.
> .text:0106685Dpop ecx  ; this sequence calculates 
> the number of wchars needed (4 or 2).
> .text:0106685Esetzcl   ; i.e. %u (four 
> needed), or %XX (two needed).
> .text:01066861mov dl, cl
> .text:01066863neg dl
> .text:01066865sbb edx, edx
> .text:01066867and edx, 3
> .text:0106686Ainc edx
> .text:0106686Binc edx
> .text:0106686Ccmp eax, edx ; test if I have enough 
> characters in input to decode.
> .text:0106686Ejl  short LiteralChar; if not enough, this '%' 
> is considered literal.
> .text:01066870testcl, cl
> .text:01066872movzx   eax, word ptr [esi+2]
> .text:01066876pusheax
> .text:01066877jz  short NotUnicode
> .text:01066879callHexToNum ; call MPC::HexToNum() to 
> convert this nibble (4 bits) to an integer.
> .text:0106687Emov edi, eax ; edi contains the running 
> total of the value of this escape sequence.
> .text:01066880movzx   eax, word ptr [esi+4]
> .text:01066884pusheax
> .text:01066885shl edi, 4   ; shift edi left 4 
> positions to make room for the next digit, i.e. total <<= 4;
> .text:01066888callHexToNum 
> .text:0106688Dor  edi, eax ; or the next value into 
> the 4-bit gap, i.e. total |= val.
> .text:0106688Fmovzx   eax, word ptr [esi+6]; this process continues 
> for the remaining wchars.
> .text:01066893pusheax
> .text:01066894shl edi, 4
> .text:01066897callHexToNum
> .text:0106689Cor  edi, eax
> .text:0106689Emovzx   eax, word ptr [esi+8]
> .text:010668A2pusheax
> .text:010668A3shl edi, 4
> .text:010668A6callHexToNum
> .text:010668ABor  edi, eax
> .text:010668ADadd esi, 0Ah  ; account for number of 
> bytes (not chars) consumed by the escape.
> .text:0

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-10 Thread Susan Bradley 
I'm not asking about disclosure.  I'm asking what happened to the level 
of communication between you and MSRC that after 4 days you posted this?

Tavis Ormandy wrote:
> Susan, I wish I had the time to hold your hand through getting up to
> speed on the disclosure debate. Instead, I would suggest starting with
> the links in my advisory which were intended to give you enough
> background to understand the issues involved (skip to the Notes section,
> if you like).
>
> As I cannot hope to speak as eloquently on the topic as Bruce, I will
> not attempt to repeat them for you here.
>
> If after researching the topic you still have questions, please let me
> know.
>
> Thanks, Tavis.
>
> On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote:
>   
>> I'm not an enterprise customer, but I am a mouthy female. So here's my 
>> question back to you, for my education, how exactly did MSRC contact you 
>> back? 
>>
>> Since June 5th have you tried emailing back or any of your contacts from 
>> past interactions and asked what was up?  I'm disappointed in this lack 
>> of communication I see on both sides.  You are ...well... Tavis 
>> Ormandy... I seriously doubt MSRC is blowing you off here.
>>
>> Keep in mind we just had a LARGE patch week to deal with.  I don't know 
>> what was going on on their side, nor making excuses as I don't know what 
>> communication you've had in the past and had on this issue ... I'm just 
>> saying I would have spent a little more time getting mad at them and 
>> sent a lot more emails back to them before posting this.
>>
>> (And try dealing with Microsoft licensing sometime if you think security 
>> communication is lacking)
>>
>> 
>
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-10 Thread Susan Bradley 
Nope Mr. Live, other than dealing with .NET updates and a 982331 that 
keeps wanting to have UAC turned off on some Win7/Vistas to get 
installed, this is just my normal calm, try to also consider the 
consumers and patchers viewpoint person today.

musnt live wrote:
>
> On Thu, Jun 10, 2010 at 11:36 AM, Susan Bradley  > wrote:
>
> I'm not an enterprise customer, but I am a mouthy female.
>
>
> Hello Full Disclosure, I'd like to warn you about PMS!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-10 Thread Susan Bradley 
You commented that Microsoft needs to address a communication problem.  
It's irrelevant to the full disclosure issue in my mind.

I'd honestly like to know if there is a break down in communication at 
the MSRC that needs to be addressed.  It appears there is one?


Tavis Ormandy wrote:
> Susan, this is what is called "full disclosure", and my response was
> relevant.
>
> I will not answer anymore uninformed questions on this topic.
>
> Thanks, Tavis.
>
> On Thu, Jun 10, 2010 at 09:02:37AM -0700, Susan Bradley wrote:
>   
>> I'm not asking about disclosure.  I'm asking what happened to the level 
>> of communication between you and MSRC that after 4 days you posted this?
>>
>> Tavis Ormandy wrote:
>> 
>>> Susan, I wish I had the time to hold your hand through getting up to
>>> speed on the disclosure debate. Instead, I would suggest starting with
>>> the links in my advisory which were intended to give you enough
>>> background to understand the issues involved (skip to the Notes section,
>>> if you like).
>>>
>>> As I cannot hope to speak as eloquently on the topic as Bruce, I will
>>> not attempt to repeat them for you here.
>>>
>>> If after researching the topic you still have questions, please let me
>>> know.
>>>
>>> Thanks, Tavis.
>>>
>>> On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote:
>>>  
>>>   
 I'm not an enterprise customer, but I am a mouthy female. So here's my 
 question back to you, for my education, how exactly did MSRC contact you 
 back? 

 Since June 5th have you tried emailing back or any of your contacts from 
 past interactions and asked what was up?  I'm disappointed in this lack 
 of communication I see on both sides.  You are ...well... Tavis 
 Ormandy... I seriously doubt MSRC is blowing you off here.

 Keep in mind we just had a LARGE patch week to deal with.  I don't know 
 what was going on on their side, nor making excuses as I don't know what 
 communication you've had in the past and had on this issue ... I'm just 
 saying I would have spent a little more time getting mad at them and 
 sent a lot more emails back to them before posting this.

 (And try dealing with Microsoft licensing sometime if you think security 
 communication is lacking)


 
>>>  
>>>   
>
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-10 Thread Christian Sciberras 
Susan, if you want my advise, don't even bother with Mr Live.

Cheers.





On Thu, Jun 10, 2010 at 6:26 PM, Susan Bradley  wrote:

> You commented that Microsoft needs to address a communication problem.
> It's irrelevant to the full disclosure issue in my mind.
>
> I'd honestly like to know if there is a break down in communication at
> the MSRC that needs to be addressed.  It appears there is one?
>
>
> Tavis Ormandy wrote:
> > Susan, this is what is called "full disclosure", and my response was
> > relevant.
> >
> > I will not answer anymore uninformed questions on this topic.
> >
> > Thanks, Tavis.
> >
> > On Thu, Jun 10, 2010 at 09:02:37AM -0700, Susan Bradley wrote:
> >
> >> I'm not asking about disclosure.  I'm asking what happened to the level
> >> of communication between you and MSRC that after 4 days you posted this?
> >>
> >> Tavis Ormandy wrote:
> >>
> >>> Susan, I wish I had the time to hold your hand through getting up to
> >>> speed on the disclosure debate. Instead, I would suggest starting with
> >>> the links in my advisory which were intended to give you enough
> >>> background to understand the issues involved (skip to the Notes
> section,
> >>> if you like).
> >>>
> >>> As I cannot hope to speak as eloquently on the topic as Bruce, I will
> >>> not attempt to repeat them for you here.
> >>>
> >>> If after researching the topic you still have questions, please let me
> >>> know.
> >>>
> >>> Thanks, Tavis.
> >>>
> >>> On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote:
> >>>
> >>>
>  I'm not an enterprise customer, but I am a mouthy female. So here's my
>  question back to you, for my education, how exactly did MSRC contact
> you
>  back?
> 
>  Since June 5th have you tried emailing back or any of your contacts
> from
>  past interactions and asked what was up?  I'm disappointed in this
> lack
>  of communication I see on both sides.  You are ...well... Tavis
>  Ormandy... I seriously doubt MSRC is blowing you off here.
> 
>  Keep in mind we just had a LARGE patch week to deal with.  I don't
> know
>  what was going on on their side, nor making excuses as I don't know
> what
>  communication you've had in the past and had on this issue ... I'm
> just
>  saying I would have spent a little more time getting mad at them and
>  sent a lot more emails back to them before posting this.
> 
>  (And try dealing with Microsoft licensing sometime if you think
> security
>  communication is lacking)
> 
> 
> 
> >>>
> >>>
> >
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-10 Thread Thomas Kristensen 
Tavis,

Nice find, but during our analysis we discovered that your hotfix
unfortunately is inadequate.

For more information see:
http://secunia.com/blog/103/

Removing the HCP URI handler seems like the only proper workaround as of
now.

/Thomas


On Thu, 2010-06-10 at 01:46 +0200, Tavis Ormandy wrote: 
> Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
> 
> 
> Help and Support Centre is the default application provided to access online
> documentation for Microsoft Windows. Microsoft supports accessing help 
> documents
> directly via URLs by installing a protocol handler for the scheme "hcp", 
> a typical example is provided in the Windows XP Command Line Reference,
> available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
> 
> Using hcp:// URLs is intended to be safe, as when invoked via the registered
> protocol handler the command line parameter /fromhcp is passed to the help
> centre application. This flag switches the help centre into a restricted mode,
> which will only permit a whitelisted set of help documents and parameters.
> 
> This design, introduced in SP2, is reasonably sound. A whitelist of trusted
> documents is a safe way of allowing interaction with the documentation from
> less-trusted sources. Unfortunately, an implementation error in the whitelist
> allows it to be evaded.
> 
> URLs are normalised and unescaped prior to validation using
> MPC::HTML::UrlUnescapeW(), 000ee00e-0010 uses MPC::HexToNum() to translate URL
> escape sequences into their original characters, the relevant code from
> helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
> 
> .text:0106684C Unescape:
> .text:0106684Ccmp di, '%'  ; di contains the current 
> wchar in the input URL.
> .text:01066850jnz short LiteralChar; if this is not a '%', it 
> must be a literal character.
> .text:01066852pushesi  ; esi contains a pointer 
> to the current position in URL to unescape.
> .text:01066853callds:wcslen; find the remaining 
> length.
> .text:01066859cmp word ptr [esi], 'u'  ; if the next wchar is 
> 'u', this is a unicode escape and I need 4 xdigits.
> .text:0106685Dpop ecx  ; this sequence calculates 
> the number of wchars needed (4 or 2).
> .text:0106685Esetzcl   ; i.e. %u (four 
> needed), or %XX (two needed).
> .text:01066861mov dl, cl
> .text:01066863neg dl
> .text:01066865sbb edx, edx
> .text:01066867and edx, 3
> .text:0106686Ainc edx
> .text:0106686Binc edx
> .text:0106686Ccmp eax, edx ; test if I have enough 
> characters in input to decode.
> .text:0106686Ejl  short LiteralChar; if not enough, this '%' 
> is considered literal.
> .text:01066870testcl, cl
> .text:01066872movzx   eax, word ptr [esi+2]
> .text:01066876pusheax
> .text:01066877jz  short NotUnicode
> .text:01066879callHexToNum ; call MPC::HexToNum() to 
> convert this nibble (4 bits) to an integer.
> .text:0106687Emov edi, eax ; edi contains the running 
> total of the value of this escape sequence.
> .text:01066880movzx   eax, word ptr [esi+4]
> .text:01066884pusheax
> .text:01066885shl edi, 4   ; shift edi left 4 
> positions to make room for the next digit, i.e. total <<= 4;
> .text:01066888callHexToNum 
> .text:0106688Dor  edi, eax ; or the next value into 
> the 4-bit gap, i.e. total |= val.
> .text:0106688Fmovzx   eax, word ptr [esi+6]; this process continues 
> for the remaining wchars.
> .text:01066893pusheax
> .text:01066894shl edi, 4
> .text:01066897callHexToNum
> .text:0106689Cor  edi, eax
> .text:0106689Emovzx   eax, word ptr [esi+8]
> .text:010668A2pusheax
> .text:010668A3shl edi, 4
> .text:010668A6callHexToNum
> .text:010668ABor  edi, eax
> .text:010668ADadd esi, 0Ah  ; account for number of 
> bytes (not chars) consumed by the escape.
> .text:010668B0jmp short FinishedEscape
> .text:010668B2
> .text:010668B2 NotUnicode: 
> .text:010668B2callHexToNum ; this is the same code, 
> but for non-unicode sequences (e.g. %41, instead of %u0041)
> .text:010668B7mov edi, eax
> .text:010668B9movzx   eax, word ptr [esi]
> .text:010668BCpusheax
> .text:010668BDcallHexToNum
> .text:010668C2shl eax, 4
> .text:010668C5or  edi, eax
> .text:010668C7add esi, 4   ; account for number o

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread musnt live 
On Thu, Jun 10, 2010 at 11:36 AM, Susan Bradley wrote:

> I'm not an enterprise customer, but I am a mouthy female.
>
>
Hello Full Disclosure, I'd like to warn you about PMS!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Tavis Ormandy 
Susan, I wish I had the time to hold your hand through getting up to
speed on the disclosure debate. Instead, I would suggest starting with
the links in my advisory which were intended to give you enough
background to understand the issues involved (skip to the Notes section,
if you like).

As I cannot hope to speak as eloquently on the topic as Bruce, I will
not attempt to repeat them for you here.

If after researching the topic you still have questions, please let me
know.

Thanks, Tavis.

On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote:
> I'm not an enterprise customer, but I am a mouthy female. So here's my 
> question back to you, for my education, how exactly did MSRC contact you 
> back? 
> 
> Since June 5th have you tried emailing back or any of your contacts from 
> past interactions and asked what was up?  I'm disappointed in this lack 
> of communication I see on both sides.  You are ...well... Tavis 
> Ormandy... I seriously doubt MSRC is blowing you off here.
> 
> Keep in mind we just had a LARGE patch week to deal with.  I don't know 
> what was going on on their side, nor making excuses as I don't know what 
> communication you've had in the past and had on this issue ... I'm just 
> saying I would have spent a little more time getting mad at them and 
> sent a lot more emails back to them before posting this.
> 
> (And try dealing with Microsoft licensing sometime if you think security 
> communication is lacking)
> 

-- 
-
tav...@cmpxchg8b.com | pgp encrypted mail preferred
---

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Tavis Ormandy 
Susan, this is what is called "full disclosure", and my response was
relevant.

I will not answer anymore uninformed questions on this topic.

Thanks, Tavis.

On Thu, Jun 10, 2010 at 09:02:37AM -0700, Susan Bradley wrote:
> I'm not asking about disclosure.  I'm asking what happened to the level 
> of communication between you and MSRC that after 4 days you posted this?
> 
> Tavis Ormandy wrote:
> >Susan, I wish I had the time to hold your hand through getting up to
> >speed on the disclosure debate. Instead, I would suggest starting with
> >the links in my advisory which were intended to give you enough
> >background to understand the issues involved (skip to the Notes section,
> >if you like).
> >
> >As I cannot hope to speak as eloquently on the topic as Bruce, I will
> >not attempt to repeat them for you here.
> >
> >If after researching the topic you still have questions, please let me
> >know.
> >
> >Thanks, Tavis.
> >
> >On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote:
> >  
> >>I'm not an enterprise customer, but I am a mouthy female. So here's my 
> >>question back to you, for my education, how exactly did MSRC contact you 
> >>back? 
> >>
> >>Since June 5th have you tried emailing back or any of your contacts from 
> >>past interactions and asked what was up?  I'm disappointed in this lack 
> >>of communication I see on both sides.  You are ...well... Tavis 
> >>Ormandy... I seriously doubt MSRC is blowing you off here.
> >>
> >>Keep in mind we just had a LARGE patch week to deal with.  I don't know 
> >>what was going on on their side, nor making excuses as I don't know what 
> >>communication you've had in the past and had on this issue ... I'm just 
> >>saying I would have spent a little more time getting mad at them and 
> >>sent a lot more emails back to them before posting this.
> >>
> >>(And try dealing with Microsoft licensing sometime if you think security 
> >>communication is lacking)
> >>
> >>
> >
> >  

-- 
-
tav...@cmpxchg8b.com | pgp encrypted mail preferred
---

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread musnt live 
On Thu, Jun 10, 2010 at 12:18 PM, Susan Bradley wrote:

> Nope Mr. Live, other than dealing with .NET updates and a 982331 that keeps
> wanting to have UAC turned off on some Win7/Vistas to get installed, this is
> just my normal calm, try to also consider the consumers and patchers
> viewpoint person today.
>
> musnt live wrote:
>
>
>> On Thu, Jun 10, 2010 at 11:36 AM, Susan Bradley > sbrad...@pacbell.net>> wrote:
>>
>>I'm not an enterprise customer, but I am a mouthy female.
>>
>>
>> Hello Full Disclosure, I'd like to warn you about PMS!
>>
>

Hello Full Disclosure, please forgive for me my premature mail. What is I
meant to now say is, I would like to warn you about Denial:

http://en.wikipedia.org/wiki/Denial

Denial is a defense mechanism postulated by Sigmund Freud, in which a person
is faced with a fact that is too uncomfortable to accept and rejects it
instead, insisting that it is not true despite what may be overwhelming
evidence.

I once had denial from vulnerable company I will release in the future:

targetFile = "C:\NOFREEBUGNAMES.ocx"
prototype  = "Invoke_Unknown LayoutURL As String"
memberName = "LayoutURL"
progid = "no.free.bugs"
argCount   = 1

arg1=String(4116, "A")

target.LayoutURL = arg1


0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xdeadbabe
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC005)
Exception Sub-Type: Read Access Violation

Faulting Instruction: call dword ptr [ecx]

Exception Hash (Major/Minor): 0x237f6e51.0x456c465d

Stack Trace:
nomore!CBaseBSCB::KickOffDownload+0x82
nomore!URLOpenStreamW+0x41
nomore!URLOpenStreamA+0x94
freebugs!DllUnregisterServer+0x5974
freebugs!BufferComparator::operator=+0x497a
freebugs!msgi_lookup+0x46e61
freebugs!msgi_lookup+0x4f705
vbscript!IDispatchInvoke2+0xb2
vbscript!IDispatchInvoke+0x59
vbscript!InvokeDispatch+0x13c
vbscript!InvokeByName+0x43
vbscript!CScriptRuntime::RunNoEH+0x1158
vbscript!CScriptRuntime::Run+0x64
vbscript!CScriptEntryPoint::Call+0x51
vbscript!CSession::Execute+0xc8
vbscript!COleScript::ExecutePendingScripts+0x146
vbscript!COleScript::SetScriptState+0x14d
scrobj!ScriptEngine::Activate+0x1a
scrobj!ComScriptlet::Inner::StartEngines+0x6e
scrobj!ComScriptlet::Inner::Init+0x156
scrobj!ComScriptlet::New+0x3f
scrobj!ComScriptletConstructor::CreateScriptletFromNode+0x26
scrobj!ComScriptletConstructor::Create+0x4c
wscript!CHost::RunXMLScript+0x277
wscript!CHost::Execute+0x1cb
wscript!CHost::Main+0x38b
wscript!StringCchPrintfA+0xc3f
wscript!WinMain+0x18b
wscript!WinMainCRTStartup+0x5d
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x70
ntdll!_RtlUserThreadStart+0x1b
Instruction Address: 0x

Description: Read Access Violation on Control Flow
Short Description: ReadAVonControlFlow
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation on Control Flow
starting at nomore!CBaseBSCB::KickOffDownload+0x0082
(Hash=0x237f6e51.0x456c465d)

This bug too exploitable is as is my engrish. Starting bid affects all
Windows versions and server remotely. Starting bid $50,000.00
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread musnt live 
On Thu, Jun 10, 2010 at 12:59 PM, Christian Sciberras wrote:

> Susan, if you want my advise, don't even bother with Mr Live.
>
> Cheers.
>
>
>
Hello Full Disclosure, I will now speak to you about chauvinism. For
starters here Mrs. Susan chose to call me Mr. not knowing the identity of
this mine gender followed by this woman named Christian.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Tavis Ormandy 
On Thu, Jun 10, 2010 at 07:02:03PM +0200, Thomas Kristensen wrote:
> Tavis,
> 
> Nice find, but during our analysis we discovered that your hotfix
> unfortunately is inadequate.
> 
> For more information see:
> http://secunia.com/blog/103/
> 

Patches are, of course, welcome.

Thanks, Tavis.

-- 
-
tav...@cmpxchg8b.com | pgp encrypted mail preferred
---

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Tavis Ormandy 
On Thu, Jun 10, 2010 at 07:21:48PM +0200, Tavis Ormandy wrote:
> On Thu, Jun 10, 2010 at 07:02:03PM +0200, Thomas Kristensen wrote:
> > Tavis,
> > 
> > Nice find, but during our analysis we discovered that your hotfix
> > unfortunately is inadequate.
> > 
> > For more information see:
> > http://secunia.com/blog/103/
> > 
> 
> Patches are, of course, welcome.
> 
> Thanks, Tavis.

Thomas, on some examination, your theory looks accurate, good catch :-)

This doesnt seem unsurmountable, but I'm reluctant to update the patch
which was only intended as a last resort. I'll work on some ideas to
address this.

If you have any thoughts, please let me know.

Thanks, Tavis.

-- 
-
tav...@cmpxchg8b.com | pgp encrypted mail preferred
---

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Jhfjjf Hfdsjj 
Hey just wanted to say that my default installation of Windows 7 doesnt seem 
vulnerable~no hcp protocol handler. Just thought some people would like to take 
note :)



- Original Message 
From: Tavis Ormandy 
To: full-disclosure@lists.grok.org.uk
Cc: bugt...@securityfocus.com
Sent: Wed, June 9, 2010 4:46:21 PM
Subject: Microsoft Windows Help Centre Handles Malformed Escape Sequences 
Incorrectly

Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly


Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp", 
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.

Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
centre application. This flag switches the help centre into a restricted mode,
which will only permit a whitelisted set of help documents and parameters.

This design, introduced in SP2, is reasonably sound. A whitelist of trusted
documents is a safe way of allowing interaction with the documentation from
less-trusted sources. Unfortunately, an implementation error in the whitelist
allows it to be evaded.

URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.

.text:0106684C Unescape:
.text:0106684Ccmp di, '%'  ; di contains the current 
wchar in the input URL.
.text:01066850jnz short LiteralChar; if this is not a '%', it 
must be a literal character.
.text:01066852pushesi  ; esi contains a pointer to 
the current position in URL to unescape.
.text:01066853callds:wcslen; find the remaining length.
.text:01066859cmp word ptr [esi], 'u'  ; if the next wchar is 'u', 
this is a unicode escape and I need 4 xdigits.
.text:0106685Dpop ecx  ; this sequence calculates 
the number of wchars needed (4 or 2).
.text:0106685Esetzcl   ; i.e. %u (four needed), 
or %XX (two needed).
.text:01066861mov dl, cl
.text:01066863neg dl
.text:01066865sbb edx, edx
.text:01066867and edx, 3
.text:0106686Ainc edx
.text:0106686Binc edx
.text:0106686Ccmp eax, edx ; test if I have enough 
characters in input to decode.
.text:0106686Ejl  short LiteralChar; if not enough, this '%' is 
considered literal.
.text:01066870testcl, cl
.text:01066872movzx   eax, word ptr [esi+2]
.text:01066876pusheax
.text:01066877jz  short NotUnicode
.text:01066879callHexToNum ; call MPC::HexToNum() to 
convert this nibble (4 bits) to an integer.
.text:0106687Emov edi, eax ; edi contains the running 
total of the value of this escape sequence.
.text:01066880movzx   eax, word ptr [esi+4]
.text:01066884pusheax
.text:01066885shl edi, 4   ; shift edi left 4 positions 
to make room for the next digit, i.e. total <<= 4;
.text:01066888callHexToNum
.text:0106688Dor  edi, eax ; or the next value into the 
4-bit gap, i.e. total |= val.
.text:0106688Fmovzx   eax, word ptr [esi+6]; this process continues for 
the remaining wchars.
.text:01066893pusheax
.text:01066894shl edi, 4
.text:01066897callHexToNum
.text:0106689Cor  edi, eax
.text:0106689Emovzx   eax, word ptr [esi+8]
.text:010668A2pusheax
.text:010668A3shl edi, 4
.text:010668A6callHexToNum
.text:010668ABor  edi, eax
.text:010668ADadd esi, 0Ah  ; account for number of 
bytes (not chars) consumed by the escape.
.text:010668B0jmp short FinishedEscape
.text:010668B2
.text:010668B2 NotUnicode:
.text:010668B2callHexToNum ; this is the same code, but 
for non-unicode sequences (e.g. %41, instead of %u0041)
.text:010668B7mov edi, eax
.text:010668B9movzx   eax, word ptr [esi]
.text:010668BCpusheax
.text:010668BDcallHexToNum
.text:010668C2shl eax, 4
.text:010668C5or  edi, eax
.text:010668C7add esi, 4   ; account for number of 
bytes (not chars) consumed by the escape.
.text:010668CA
.text:010668CA Finis

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Benjamin Franz 
On 06/10/2010 09:26 AM, Susan Bradley wrote:
> You commented that Microsoft needs to address a communication 
> problem.  It's irrelevant to the full disclosure issue in my mind.
>
> I'd honestly like to know if there is a break down in communication at 
> the MSRC that needs to be addressed.  It appears there is one?
>

No. He didn't. What he said was: "Those of you with large support 
contracts are encouraged to tell your support  representatives that you 
would like to see Microsoft invest in developing  processes for faster 
responses to external security reports." That sounds like he is 
suggesting that companies put pressure on Microsoft to invest more 
resources in external security reports to me.

Microsoft has historically been exceedingly slow to address any reported 
vulnerabilities *except when people light a fire under them by 
publishing exploits*. Anything less typically takes months to years to 
fix. Even publicly shaming Microsoft isn't always enough. There are 
known, serious, published vulnerabilities that Microsoft didn't fix for 
*years*. I personally found and publicized one of them in 1998 - which 
*8 years later* was still not fixed 
http://en.wikipedia.org/wiki/Cross-site_cooking>

It isn't about *communication*, it's about Microsoft treating external 
reports seriously and *taking action in a timely way - even if they 
don't have an 'exploit in hand'*.

Tavis indicated he suspects that the 'black hats' already know about 
this particular exploit (IOW he thinks it is a '0-day' exploit already 
loose in the wild).

So who, exactly, would be protected by his *NOT* publishing it?  End 
users? They are probably already being exploited by it.

-- 
Benjamin Franz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Bud Spencer 
Hello list,

The included POC seems to work fine with IE7 or IE8 installed, however I am not 
able to run any javascript code on a clean XP SP2 with IE6.

Does that mean that you require a newer browser to use the defer trick?, is 
machines with IE6 for a change unaffected?

I see that Tavis says "assuming a recent IE" but later down he says "Machines 
running version of IE less than 8 are, as usual, in even more trouble."

Does anyone care to clarify?

Regards, Giorgio Sardo

_
Sign up for a 6mb FREE email from 
http://www.spl.at
Take a look at our new message boards!
http://chat.spl.at

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Christian Sciberras 
In my humble opinion, he could have waited a couple more days just in case
Microsoft decided to do the unprecedented.
In which case, I progressive change of policies at Microsoft are better than
a couple of users getting hacked from pron sites...

Cheers.

On Thu, Jun 10, 2010 at 8:20 PM, Benjamin Franz  wrote:

> On 06/10/2010 09:26 AM, Susan Bradley wrote:
> > You commented that Microsoft needs to address a communication
> > problem.  It's irrelevant to the full disclosure issue in my mind.
> >
> > I'd honestly like to know if there is a break down in communication at
> > the MSRC that needs to be addressed.  It appears there is one?
> >
>
> No. He didn't. What he said was: "Those of you with large support
> contracts are encouraged to tell your support  representatives that you
> would like to see Microsoft invest in developing  processes for faster
> responses to external security reports." That sounds like he is
> suggesting that companies put pressure on Microsoft to invest more
> resources in external security reports to me.
>
> Microsoft has historically been exceedingly slow to address any reported
> vulnerabilities *except when people light a fire under them by
> publishing exploits*. Anything less typically takes months to years to
> fix. Even publicly shaming Microsoft isn't always enough. There are
> known, serious, published vulnerabilities that Microsoft didn't fix for
> *years*. I personally found and publicized one of them in 1998 - which
> *8 years later* was still not fixed
> http://en.wikipedia.org/wiki/Cross-site_cooking>
>
> It isn't about *communication*, it's about Microsoft treating external
> reports seriously and *taking action in a timely way - even if they
> don't have an 'exploit in hand'*.
>
> Tavis indicated he suspects that the 'black hats' already know about
> this particular exploit (IOW he thinks it is a '0-day' exploit already
> loose in the wild).
>
> So who, exactly, would be protected by his *NOT* publishing it?  End
> users? They are probably already being exploited by it.
>
> --
> Benjamin Franz
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread John Jacobs 


Consequently, in my humble opinion I think there should be less focus on the 
emotional interaction between Microsoft and Travis' findings.  Of course it's 
easy for me to assert this; when I wake up in the morning I don't have the same 
challenges of wading through a soup of emotional fog and displacing the 
priority of actual vulnerabilities in favor of emotional interaction with 
Microsoft.

While it's fun to be a Microsoft apologist, and even more fun to be ruled by 
emotion, I would be ashamed to have published what Susan did.  Even more 
shaming is the call to arms which you so eagerly answered only to appear as 
foolish as Susan herself.

It's hard to tell who the trolls are, perhaps Susan is indeed a troll, and 
decided to fork the conversation about actual vulnerabilities and security 
events and derail them by introducing drivel about interacting with Microsoft.

I believe this may be one of the disadvantages of an unmoderated list, perhaps 
it encourages or enables others to treat it like a social networking site.


Date: Fri, 11 Jun 2010 11:40:55 +0200
From: uuf6...@gmail.com
To: jfr...@freerun.com
CC: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com
Subject: Re: [Full-disclosure] Microsoft Windows Help Centre Handles
Malformed Escape Sequences Incorrectly

In my humble opinion, he could have waited a couple more days just in case 
Microsoft decided to do the unprecedented.
In which case, I progressive change of policies at Microsoft are better than a 
couple of users getting hacked from pron sites...


Cheers.
  ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread musnt live 
On Thu, Jun 10, 2010 at 12:16 PM, Tavis Ormandy  wrote:

>
> I will not answer anymore uninformed questions on this topic.
>
>

Riddle me this Tavis. For why not responsible disclosure you put
millions of Microsoft customers at risk.

Hello list, I'd like to warn you about reckless disclosure. Imagine if
you will a car maker say Toyota. Owner of Toyota know of vulnerability
that when drive car, car go fast. Its a security risk. Imagine what
happen when driver go to Toyota: "Hey Chinky Car Maker Is You Car Go
Fast Vroom Vroom and can kill someone!*&%$!" Car maker think fast with
risk assessment:

1) Does the public know?
a) No they not know - recall not necessary we spend money on recall
b) No public not fully aware - somewhat aware - we bribe those aware
c) Public know - we now look like fool - damage reputation of Tavis
who reported risk

List, I'd like to warn you about Microsoft politics for disclosure.
True politics people who not report security do not see in real world
perspective.

2010-05-07 - Mustnlive contact Microsoft for 0day which take over MSN
Messenger with a single message need point of contact
2010-05-08 - Microsoft Security Response center reply:

Hello,

Thank you for this report. How would an attacker get the code onto a
victim system?

Best Regards,
(Name remove to protect lowly customer service monkey)

2010-05-08 Mustnlive reply:

Hi,

No you no understand, I send you message on you MSN and you MSN run my
code like it or not. Here is my PoC.

Inshallah!

2010-05-10 MSRC reply:

Hello,

ActiveX are considered unsafe filetypes in Windows and other Microsoft
products.  The MSRC does not open cases on file types that are
designed to run code and considered unsafe.

If you find that there is a vector to reproduce the issue that does
not require the execution of an unsafe file type please reply with
details.

Best Regards,
(Name remove to protect lowly customer service monkey)

2010-05-10 Musntlive scratch head and think: "You make ActiveX you MSRC monkey!"
2010-05-11 Musntlive move up the MSRC foodchain Blackhat ShmooFoo
style to open a can of whoop ass:

Hi,

My colleague (name remove to protect super cool MS fellow) let me know
that you reached out to him on this issue.  If you have additional
information on this issue sec...@microsoft.com is the appropriate
contact for it.

Have you been able to reproduce the issue without leveraging an unsafe
file type? or through a remote vector?

Best Regards,
(name remove to protect innocent MSRC monkey)

2010-05-10 Musntlive scratch head again and think: "You stupid MSRC
monkey! Do you not see the code! Do you not see I pwn all is your
system?!"
2010-06-01 Musntlive make exploit live weapon of IM destruction and
test test retest test test
2010-06-05 Mustnlive test on unsuspecting hot woman. Send message,
instant camera control via MSN (latest version on Vista, 7, XP)
2010-06-10 Mustnlive semidiscloses weapon of IM destruction
2010-06-10 Musntlive offer IM weapon he call Yudayajin Kuma for sale
on black market beginning bid $10,000.00

You see Susan and other non hacker monkeys, companies do not care for
fix issue they is care for covering their bungerholes. I applaud
Tavis, wish people would know the process to report bug and runaround
companies give researchers who try to report problems. No Full
Disclosure, no more free bugs. Companies is not care to fix things
that are not in the spotlight.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Benjamin Franz 
On 06/11/2010 02:40 AM, Christian Sciberras wrote:
> In my humble opinion, he could have waited a couple more days just in 
> case Microsoft decided to do the unprecedented.
> In which case, I progressive change of policies at Microsoft are 
> better than a couple of users getting hacked from pron sites...
As I said: Travis indicated in his original post he believes the exploit 
*was already being used in the wild*. So NOT releasing it wouldn't 
protect users. It would just keep it "secret" from everyone except 
Microsoft *and the black hats who were already using it*. While 
maintaining a false air of intact security for everyone else.

That is better, how?

-- 
Benjamin Franz

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Benji 
because when she gets 0wn3d she can be all like 'ruh roh, well, 0day
can happen to anyone'

On Fri, Jun 11, 2010 at 4:01 PM, Benjamin Franz  wrote:
> On 06/11/2010 02:40 AM, Christian Sciberras wrote:
>> In my humble opinion, he could have waited a couple more days just in
>> case Microsoft decided to do the unprecedented.
>> In which case, I progressive change of policies at Microsoft are
>> better than a couple of users getting hacked from pron sites...
> As I said: Travis indicated in his original post he believes the exploit
> *was already being used in the wild*. So NOT releasing it wouldn't
> protect users. It would just keep it "secret" from everyone except
> Microsoft *and the black hats who were already using it*. While
> maintaining a false air of intact security for everyone else.
>
> That is better, how?
>
> --
> Benjamin Franz
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread T Biehn 
It's a good thing I ran that anti-hacker script!!!

On Fri, Jun 11, 2010 at 11:28 AM, Benji  wrote:

> because when she gets 0wn3d she can be all like 'ruh roh, well, 0day
> can happen to anyone'
>
> On Fri, Jun 11, 2010 at 4:01 PM, Benjamin Franz 
> wrote:
> > On 06/11/2010 02:40 AM, Christian Sciberras wrote:
> >> In my humble opinion, he could have waited a couple more days just in
> >> case Microsoft decided to do the unprecedented.
> >> In which case, I progressive change of policies at Microsoft are
> >> better than a couple of users getting hacked from pron sites...
> > As I said: Travis indicated in his original post he believes the exploit
> > *was already being used in the wild*. So NOT releasing it wouldn't
> > protect users. It would just keep it "secret" from everyone except
> > Microsoft *and the black hats who were already using it*. While
> > maintaining a false air of intact security for everyone else.
> >
> > That is better, how?
> >
> > --
> > Benjamin Franz
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread musnt live 
On Fri, Jun 11, 2010 at 11:28 AM, Benji  wrote:
> because when she gets 0wn3d she can be all like 'ruh roh, well, 0day
> can happen to anyone'

Hello list. I'd like to warn you about Susan Bradley. I've seen her
pictures and for its you must be desperate to want to own her.

http://www.smbnation.com/Portals/0/speakers/speaker_susan-bradley.jpg

Ms. Bradley, I'd like to warn you about getting owned:
http://www.nogeekleftbehind.com/images/WebcastWindows7CrystalMethforGeeks_8EB4/image.png

Would not last a day for if around my neck of the sand

Ms. Bradley is nothing more than a big mouth trying to make a name for
herself. Nothing more than an MS cheerleader.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread musnt live 
On Fri, Jun 11, 2010 at 12:03 PM, T Biehn  wrote:
> It's a good thing I ran that anti-hacker script!!!

It's a good thing there is to be a local bomb squad near me.

http://www.cbc.ca/world/story/2005/06/13/canadian-bomb050613.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread T Biehn 
Totally, I'd work on getting a dog too.

On Jun 11, 2010 12:20 PM, "musnt live"  wrote:

On Fri, Jun 11, 2010 at 12:03 PM, T Biehn  wrote:
> It's a good thing I ran that a...
It's a good thing there is to be a local bomb squad near me.

http://www.cbc.ca/world/story/2005/06/13/canadian-bomb050613.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread musnt live 
On Fri, Jun 11, 2010 at 1:06 PM, T Biehn  wrote:
> Totally, I'd work on getting a dog too.
>
> On Jun 11, 2010 12:20 PM, "musnt live"  wrote:
>
> On Fri, Jun 11, 2010 at 12:03 PM, T Biehn  wrote:
>> It's a good thing I ran that a...
>
> It's a good thing there is to be a local bomb squad near me.
>
> http://www.cbc.ca/world/story/2005/06/13/canadian-bomb050613.html
>

Is Annette (your mom) available? A call to her could always have her
be answer for herself:

Annette Biehn (former known to be Annette Penney)
3395 Gail Circle
Doylestown, PA  18901
(215) 794-9220

Or maybe so your dad Brant to be upset

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread musnt live 
On Fri, Jun 11, 2010 at 1:43 PM, T Biehn  wrote:
> Maybe you can call twice and get both of them really upset?
>

Maybe I will. Would she let me sit on her bed?
http://images.realogyfg.com/j/2/5/15907460/62A47ADD-C353-4F73-94FB-742937D88A0B-6.jpg

Oh n00z all this information for on this little wannabe unabummer. Go
play now with some explosives and fux0r yourself before I is posting
your family's SS CC #'s rookie

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread John Jacobs 

> Hello list. I'd like to warn you about Susan Bradley. I've seen her
> pictures and for its you must be desperate to want to own her.
> 
> http://www.smbnation.com/Portals/0/speakers/speaker_susan-bradley.jpg

s/PMS/menopause/gi


  ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread T Biehn 
Maybe you can call twice and get both of them really upset?

-Travis

On Fri, Jun 11, 2010 at 1:21 PM, musnt live  wrote:

> On Fri, Jun 11, 2010 at 1:06 PM, T Biehn  wrote:
> > Totally, I'd work on getting a dog too.
> >
> > On Jun 11, 2010 12:20 PM, "musnt live"  wrote:
> >
> > On Fri, Jun 11, 2010 at 12:03 PM, T Biehn  wrote:
> >> It's a good thing I ran that a...
> >
> > It's a good thing there is to be a local bomb squad near me.
> >
> > http://www.cbc.ca/world/story/2005/06/13/canadian-bomb050613.html
> >
>
> Is Annette (your mom) available? A call to her could always have her
> be answer for herself:
>
> Annette Biehn (former known to be Annette Penney)
> 3395 Gail Circle
> Doylestown, PA  18901
> (215) 794-9220
>
> Or maybe so your dad Brant to be upset
>



-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread musnt live 
On Fri, Jun 11, 2010 at 1:53 PM, T Biehn  wrote:
> So far so good.
> You've been able to go from t biehn -> Travis Biehn -> Bomber Article
> (parent's names, city, state, country) -> whitepages.com (Address and Phone
> number) -> (not clear on your jump here, did you google their name or for
> the address?) Real estate listings.
> Now to pull the SS and CC #'s you're going to have to go the extra mile. I'd
> enjoy seeing you pull our SS numbers, being that we're all Canadians.


That is right. Canadians living in Pennsylvannia. Was it not: "You
hated being in America" the reason? Was your dad not making enough at
Merck he went to work at Dynavax? Did his Zostavax product not cure
your mom from herpes? Shall we email him to ask? bbi...@dvax.com
indeed no for is that to be rude. Run along now little one explosives
await you. And I must for to warn you! I too do not like America
therefore if is you not like it then leave I must be sure that no
Americans will miss you Travis

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread T Biehn 
So far so good.
You've been able to go from t biehn -> Travis Biehn -> Bomber Article
(parent's names, city, state, country) -> whitepages.com (Address and Phone
number) -> (not clear on your jump here, did you google their name or for
the address?) Real estate listings.
Now to pull the SS and CC #'s you're going to have to go the extra mile. I'd
enjoy seeing you pull our SS numbers, being that we're all Canadians.

-Travis

On Fri, Jun 11, 2010 at 1:50 PM, musnt live  wrote:

> On Fri, Jun 11, 2010 at 1:43 PM, T Biehn  wrote:
> > Maybe you can call twice and get both of them really upset?
> >
>
> Maybe I will. Would she let me sit on her bed?
>
> http://images.realogyfg.com/j/2/5/15907460/62A47ADD-C353-4F73-94FB-742937D88A0B-6.jpg
>
> Oh n00z all this information for on this little wannabe unabummer. Go
> play now with some explosives and fux0r yourself before I is posting
> your family's SS CC #'s rookie
>



-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-11 Thread Benji 

You're just jealous I had the intuition to protect myself.

Sent from my iPhone

On 11 Jun 2010, at 17:03, T Biehn  wrote:


It's a good thing I ran that anti-hacker script!!!

On Fri, Jun 11, 2010 at 11:28 AM, Benji  wrote:
because when she gets 0wn3d she can be all like 'ruh roh, well, 0day
can happen to anyone'

On Fri, Jun 11, 2010 at 4:01 PM, Benjamin Franz   
wrote:

> On 06/11/2010 02:40 AM, Christian Sciberras wrote:
>> In my humble opinion, he could have waited a couple more days  
just in

>> case Microsoft decided to do the unprecedented.
>> In which case, I progressive change of policies at Microsoft are
>> better than a couple of users getting hacked from pron sites...
> As I said: Travis indicated in his original post he believes the  
exploit

> *was already being used in the wild*. So NOT releasing it wouldn't
> protect users. It would just keep it "secret" from everyone except
> Microsoft *and the black hats who were already using it*. While
> maintaining a false air of intact security for everyone else.
>
> That is better, how?
>
> --
> Benjamin Franz
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

2010-06-13 Thread Georgi Guninski 
On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote:
> saying I would have spent a little more time getting mad at them and 
> sent a lot more emails back to them before posting this.
>

so do it - sent a lot of mails to them before posting this.

nobody stops you from sending mails to them instead of posting this.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/