On 4/10/07, Brooks, Shane <[EMAIL PROTECTED]> wrote:
> Do you have a working exploit for this vuln? The SecFocus page says none is
> publicly available.
To contribute to this, the longest and most boring thread ever, look
at www.milw0rm.com (hi str0ke), specifically
http://www.milw0rm.com/exploi
: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Hi.
One thing to add about IE protected mode and all that stuff:
We get shell (in ie protected mode) using ani vulnerability.
Go to the IE temporary directory. It must have write access there :)
Then we use this: http
Hi.
One thing to add about IE protected mode and all that stuff:
We get shell (in ie protected mode) using ani vulnerability.
Go to the IE temporary directory. It must have write access there :)
Then we use this: http://www.securityfocus.com/bid/23278
And we have SYSTEM access :)
Regards.
On 4/8/
Hello:
Firefox 2.0.0.3 (at least in windows) *seems to be vulnerable*. I don't
remember exactly what it did but it behaved in a strange way I believe some
file handle was left open and had to kill it the hard way. I don't know what
they say in the docs but if it ends up calling the user32 functio
Hi.
There are more and more reports about FF and ani vulnerability.
There was already a presentation of working exploit.
The thing starts to annoy me and since I am far away from any windows
I wanted to share some of my speculations.
According to docs two things are obvious:
1) Firefox doesn't supp
>That's correct, Firefox doesn't support ANI files for cursors.
Right, and it doesn't need to, because cursors are not the only way to reach
the vulnerable code.
Icons can do it, too.
___
Full-Disclosure - We believe in it.
Charter: http://lists.gro
George Ou wrote:
> The patch for ANI is out from Microsoft. I'm assuming the question is if we
> will see this technique for Firefox exploitation posted now?
Why? That would needlessly put Firefox users at risk -- not everyone will
be able to apply the Windows patch immediately. Microsoft may hav
Larry Seltzer wrote:
>>> Larry, why are you so curious about how this exploit works?
>
> Because the Firefox docs say they don't support ANI files for cursors
> and I can't get any non-malicious ones to work in it. I have to admit
> I'm having trouble getting them to work in IE now too.
That's c
>>Firefox doesn't support ANI files for cursors. If the exploitation
method was so obvious, we would already have Firefox exploits in the
wild, wouldn't we?
I don't know. I'll have to think about how else you would get it to use
an ANI. There's no Flash involved, is there?
>>Maybe the url should
>>Larry, why are you so curious about how this exploit works?
Because the Firefox docs say they don't support ANI files for cursors
and I can't get any non-malicious ones to work in it. I have to admit
I'm having trouble getting them to work in IE now too.
What's wrong with this code?
BODY{c
Larry Seltzer wrote:
> Alex had said that he was exploiting this bug on Firefox, even though
> the Firefox docs say it should be impossible. I'm just trying to
> understand how his claims are possible.
>
> There's no reason to believe the Firefox developers need to do anything.
> IE, for example,
9:47 PM
To: George Ou
Cc: Larry Seltzer; 'Alexander Sotirov';
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
George Ou wrote:
> The patch for ANI is out from Microsoft. I'm assuming the question is
> if we will
Sotirov
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>
> LS> The Firefox docs say that it doesn't support .ani files for cursors.
>
> LS> How are you exploiting it?
> AS> I'll wait until the p
ander Sotirov
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
LS> The Firefox docs say that it doesn't support .ani files for cursors.
LS> How are you exploiting it?
AS> I'll wait until the patch is out before I publish th
LS> The Firefox docs say that it doesn't support .ani files for cursors.
LS> How are you exploiting it?
AS> I'll wait until the patch is out before I publish the technique.
AS> As far as I know there are no public ANI exploits for Firefox yet.
So now can you say how Firefox is vulnerable?
Larr
Larry Seltzer wrote:
>>> I just posted a video of exploiting IE7 and Firefox on Vista.
>
> The Firefox docs say that it doesn't support .ani files for cursors. How
> are you exploiting it?
I'll wait until the patch is out before I publish the technique. As far as I
know there are no public ANI
PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry
Seltzer
Sent: Tuesday, April 03, 2007 12:54 AM
To: Alexander Sotirov; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>>I just p
>>I just posted a video of exploiting IE7 and Firefox on Vista.
The Firefox docs say that it doesn't support .ani files for cursors. How
are you exploiting it?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Edi
02, 2007 7:14 PM
To: George Ou
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
George Ou wrote:
> The exploited instance of IE7 probably spawns cmd.exe with the same
> privilege levels as IE7 in Protected Mode, which means you d
George Ou wrote:
> The exploited instance of IE7 probably spawns cmd.exe with the same
> privilege levels as IE7 in Protected Mode, which means you don't have
> read/write access to the user or system files. It's still bad because you
> probably get to harvest all of the saved username/passwords i
D]
[mailto:[EMAIL PROTECTED] On Behalf Of Alexander
Sotirov
Sent: Monday, April 02, 2007 6:19 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Larry Seltzer wrote:
> I'm beginning to think that web-based attacks with this in Vista
Larry Seltzer wrote:
> I'm beginning to think that web-based attacks with this in Vista aren't
> really so scary. Even if you can get them to execute what can you really
> do in IE protected mode?
I just posted a video of exploiting IE7 and Firefox on Vista. Internet Explorer
was running in protec
James Matthews wrote:
> The issue is that this only works with DEP turned off!
HOLY SHIT an insightful comment by James Matthews!!! Haha, almost got me
there, nice April fools!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/f
Dave Aitel <[EMAIL PROTECTED]> wrote:
> ASRL has limited entropy and the attacker can continue to try exploits
> an infinite number of times (as Solar Eclipse points out). This means
> you can write a reliable Vista exploit, theoretically. I'll probably
> finish one up on Monday.
On 32-bit, yes, b
le fully enable DEP
protection and use hardware that supports NX/XD.
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thierry
Zoller
Sent: Monday, April 02, 2007 8:07 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .
on the fly.
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry
Seltzer
Sent: Monday, April 02, 2007 7:53 AM
To: Thierry Zoller
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>>
> Fuck you too.
>
> Larry Seltzer
> eWEEK.com Security Center Editor
cool Ziff-Davis lets you curse online.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http:/
> Try the current milworm PoCs on NX enforced CPUS
Newsflash: none of the milw0rm PoCs ever worked on hardware DEP. We never told
you because you seemed to have _so_ much fun tossing your cute little payloads
around. In the happier days when I worked as an early warning dude, I used to
keep an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
ASRL has limited entropy and the attacker can continue to try exploits
an infinite number of times (as Solar Eclipse points out). This means
you can write a reliable Vista exploit, theoretically. I'll probably
finish one up on Monday.
IE in protected
Dear Michal,
MM> You claim is just pointless. You CAN write
MM> reliable exploit for Harware NX DEP and youCAN take over whole system
MM> even in the IE Protected mode
Oh dear, my "claim is just pointless", the fact is, I have not made
such a claim, I have introduced the notion of Hardware DE
Dear Larry,
You are a stubborn guy are you? _Again_, I am not talking Software DEP
but Hardware-enforced DEP. Read: 2 different things.
This is my last email within this regard, I see no point in trying to
give you further information that might help you estimate risk, as you
seem resistant to he
>>That's where you are wrong larry, if you have an NX capable CPU
("hardware enforced") DEP is turned on by default on all and every
process. Software DEP is not really DEP it's more like SafeSEH...
See http://support.microsoft.com/default.aspx/kb/875352 ("A detailed
description of the Data Execu
Dear Larry Seltzer,
I did not ask to have an explanation about Heap based exploits.
LS>I'm sure any HIPS would block it. But like DEP they're not on
LS> in Windows by default.
That's where you are wrong larry, if you have an NX capable CPU
("hardware enforced") DEP is turned on by default on all
>>"Heap spraying" is filling the heap with controllable data... This is
simply allocating things in the heap. NOT running code.
>>You are trying to say that once you jump into that code via some
exploit (NOT part of the heap spraying technique itself) THEN you are
"running code in the heap".
What
On 4/2/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:
LS>Heap spraying implies running code in the heap,
JA>Actually, um.. no.. it doesn't
My understanding of heap spraying comes from
http://blogs.securiteam.com/index.php/archives/638: "...SkyLined's heap
spraying techqniue
(http://sf-freedom.blo
LS>Heap spraying implies running code in the heap,
JA>Actually, um.. no.. it doesn't
My understanding of heap spraying comes from
http://blogs.securiteam.com/index.php/archives/638: "...SkyLined's heap
spraying techqniue
(http://sf-freedom.blogspot.com/2006/07/heap-spraying-internet-exploiter
.ht
On 4/2/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:
AS> A much simpler solution is to use heap spraying (which works fine on
AS> Vista) for systems that don't have DEP enabled.
TZ> Are we talking Sofware DEP or Hardware enforce DEP ?
Heap spraying implies running code in the heap,
Actually
AS> A much simpler solution is to use heap spraying (which works fine on
AS> Vista) for systems that don't have DEP enabled.
TZ> Are we talking Sofware DEP or Hardware enforce DEP ?
Heap spraying implies running code in the heap, which any DEP should
block. There are all kinds of software techni
Dear Alexander Sotirov,
AS> A much simpler solution is to use heap spraying (which works fine on Vista)
for
AS> systems that don't have DEP enabled.
Are we talking Sofware DEP or Hardware enforce DEP ?
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3
Larry Seltzer wrote:
> Perhaps your exploit proves this wrong, but it's the last I heard on the
> subject. And even if there are only 256 slots how do you try more than
> one? Isn't the first wrong one going to crash the browser?
Read our advisory:
http://www.determina.com/security.research/vulner
Hi Larry..
Larry Seltzer wrote:
> I'm beginning to think that web-based attacks with this in Vista aren't
> really so scary. Even if you can get them to execute what can you really
> do in IE protected mode? You need to get the user to run the ANI outside
> of IE.
Assuming a compromised IE sessio
Windows security has allways been pockmarked
On 4/1/07, George Ou <[EMAIL PROTECTED]> wrote:
"[EMAIL PROTECTED] said:
http://www.milw0rm.com/exploits/3634
str0ke told me to test this one and no miracle, it works under vista and
the
default DEP settings doesn't catch it."
Default DEP settings
"[EMAIL PROTECTED] said:
http://www.milw0rm.com/exploits/3634
str0ke told me to test this one and no miracle, it works under vista and the
default DEP settings doesn't catch it."
Default DEP settings in Windows XP or Vista are worthless since it's off for
all applications including IE7. I teste
http://www.milw0rm.com/exploits/3634
str0ke told me to test this one and no miracle, it works under vista and
the default DEP settings doesnt catch it.
[EMAIL PROTECTED] wrote:
> From the published poc yes vista is vulnerable , the poc doesn't
> exploit it but shows enough..
> The whole windo
From the published poc yes vista is vulnerable , the poc doesn't
exploit it but shows enough..
The whole windows browser crashes when you try to open the folder of the
malicious .ani file,
can't even attach it to an email because thunderbird crashes when I'm
browsing to attach the .ani,
EIP is
ributing Editor, PC Magazine
[EMAIL PROTECTED]
-Original Message-
From: Dave Aitel [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 01, 2007 3:42 PM
To: Larry Seltzer
Cc: dev code; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Just wanted to post that using a ret2libc attack works as shown in the video
here:
http://www.zippyvideos.com/5991194746836606/ani-xp-sp2/
>From: "Chris Lyon" <[EMAIL PROTECTED]>
>To: full-disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Windows .ANI L
>>It is completely possible to execute shellcode if we can do some DEP
bypass (ie. ret2libc attack, etc..)
In Vista this should have problems because of ASLR, right?
I'm beginning to think that web-based attacks with this in Vista aren't
really so scary. Even if you can get them to execute what
>>I tested it in Windows xp sp2 and it doesn't work.
>>Callax
Did you try turning DEP off and re-testing?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
___
disclosure@lists.grok.org.uk
Objet : Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>>The issue is that this only works with DEP turned off!
Interesting point. I haven't seen this mentioned anywhere, including the
Microsoft advisory
(http://www.microsoft.com/technet/security
On 4/1/07, wac <[EMAIL PROTECTED]> wrote:
On 4/1/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:
>
> >>The issue is that this only works with DEP turned off!
>
> Interesting point. I haven't seen this mentioned anywhere, including the
> Microsoft advisory
> ( http://www.microsoft.com/technet/secu
On 4/1/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:
>>The issue is that this only works with DEP turned off!
Interesting point. I haven't seen this mentioned anywhere, including the
Microsoft advisory
(http://www.microsoft.com/technet/security/advisory/935423.mspx).
Has anyone actually tested
i updated yesterday
(added as an attachment to the full disclosure post) returns to
ExitProcess() and closes explorer.exe upon viewing the .ani file, just to
show that it is possible to do our own shiznat in SP2.
>From: "Larry Seltzer" <[EMAIL PROTECTED]>
>To:
>Subject:
>>The issue is that this only works with DEP turned off!
Interesting point. I haven't seen this mentioned anywhere, including the
Microsoft advisory
(http://www.microsoft.com/technet/security/advisory/935423.mspx).
Has anyone actually tested this with DEP on/off to be sure?
Larry Seltzer
eWEEK
L PROTECTED]>
>To: "dev code" <[EMAIL PROTECTED]>
>CC: full-disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>Date: Sat, 31 Mar 2007 06:53:34 -0500
>
>Hello:
>
>Does this works in *fully patched* XP pro + S
: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Date: Sat, 31 Mar 2007 06:53:34 -0500
Hello:
Does this works in *fully patched* XP pro + SP2? Mine seems to be totally
immune (not even crashing). XP Pro + SP2 + 0 patches crashes (probably
landing somewhere else in memory).
On 3/30/07,
Hello:
Does this works in *fully patched* XP pro + SP2? Mine seems to be totally
immune (not even crashing). XP Pro + SP2 + 0 patches crashes (probably
landing somewhere else in memory).
On 3/30/07, dev code <[EMAIL PROTECTED]> wrote:
/*
* Copyright (c) 2007 devcode
*
*
*
/*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
*
* Description:
*A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
*
58 matches
Mail list logo
