Beruflich Dokumente
Kultur Dokumente
!"
Basically firefox logs all kind of URL data in it's history.dat file, this little script will set a really
large topic and Firefox will then save that topic into it's history.dat. The next time that Firefox is
opened, it will instantly crash due to a buffer overflow. This will happen everytime until you
manually delete the history.dat file which most users won't figure out.
This proof of concept will only prevent someone from reopening their browser after being
exploited. DoS if you will however, code execution is possible with some modifications.
function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
With a very large aLength or textLength an attacker would be able to wrap the integer
newLength, resulting in an allocation of a too small buffer. When aLength is larger than zero the
memcpy() will overflow the buffer.
A proposed fix would be to use size_t or similar value types for all length values, as this will
ensure that the right value types are used for any length and size values. Furthermore the result of
calculations which may wrap should be checked. The following Proof-of-Concept code will
trigger the bug. Note that there will be multiple ways of triggering the issue:
POC Code:
Provided the test system has enough memory (>8 gigabyte) following crash will be triggered:
/2"#
/2"#·. 2
A vulnerability has been reported in Internet Explorer, which can be exploited by malicious
people to compromise a user's system.
The vulnerability is caused due to a boundary error within the handling of certain attributes in the
<IFRAME> and <FRAME> HTML tags. This can be exploited to cause a buffer overflow via a
malicious HTML document containing overly long strings in e.g. the "SRC" and "NAME"
attributes of the <IFRAME> tag.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed in the following versions:
* Internet Explorer 6.0 on Windows XP SP1
* Internet Explorer 6.0 on Windows 2000 .
NOTE: This advisory has been rated "Extremely critical" as a working exploit has been
published on public mailing lists. A variant of the MyDoom virus is now also exploiting this
vulnerability.
Microsoft Internet Explorer contains a buffer overflow vulnerability in its handling of embedded
objects in HTML documents. This vulnerability could allow an attacker to execute arbitrary code
on the victim's system when the victim visits a web page or views an HTML email message.
Internet Explorer supports the <EMBED> directive, which can be used to include arbitrary
objects in HTML documents. Common types of embedded objects include multimedia files, Java
applets, and ActiveX controls. The SRC attribute specifies the source path and filename of an
object. For example, a MIDI sound might be embedded in a web page with the following HTML
code:
A group of Russian researchers, SECURITY.NNOV, has reported that Internet Explorer does not
properly handle the SRC attribute of the <EMBED> directive. An HTML document, such as a
web page or HTML email message, that contains a crafted SRC attribute can trigger a buffer
overflow, executing code with the privileges of the user viewing the document.
According to the Severity Rating for the "Buffer Overrun in HTML Directive" vulnerability
in MS02-005, Internet Explorer 5.5 and 6.0 are vulnerable. Outlook and Outlook Express are
also vulnerable, since they use Internet Explorer to render HTML email messages. Other
applications that use the Internet Explorer HTML rendering engine, such as America Online
(AOL), Windows compiled HTML help (.chm) files, and third-party email clients may also be
vulnerable.
The CERT/CC is tracking this vulnerability as VU#932283, which corresponds directly to the
"buffer overrun" vulnerability described in Microsoft Security Bulletin MS02-005. This
vulnerability has been assigned the CVE identifier CAN-2002-0022.
A heap buffer overflow vulnerability exists in the way IE handles the SRC and NAME attributes
of HTML elements such as FRAME and IFRAME. Publicly available exploit code uses
JavaScript to prepare the heap by allocating memory with blocks that consist of NOP slides and
shell code. After mishandling overly long SRC and NAME attributes, IE dereferences a memory
address that may fall within one of the prepared heap blocks, running through the NOP slide and
executing the attacker's shell code. Without the ability to prepare the heap (i.e., without Active
scripting), it becomes more difficult for the attacker to execute arbitrary code. Note, however,
that an attacker could use techniques other than Active scripting to prepare the heap to more
easily execute arbitrary code.
It appears that this vulnerability was discovered using the mangleme tool.
Other programs (e.g., Outlook, Outlook Express, AOL, Lotus Notes) that use the WebBrowser
ActiveX control could be affected by this vulnerability.
Based on currently available information, IE 6 on Windows XP SP2 is not vulnerable.
/# &
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML
email message), an attacker could execute arbitrary code with the privileges of the user. The
attacker could also cause IE (or the program using the WebBrowser control) to crash.
Public reports indicate that this vulnerability is used by malicious code called Bofra (also
identified as variants of W32/MyDoom).
o$& 5
SVRT - Bkis have just discovered vulnerability in Google Chrome 0.2.149.27
Details:
- Type of Issue: Buffer Overflow.
- Affected Software: Google Chrome 0.2.149.27.
- Exploitation Environment: Google Chrome (Language: Vietnamese) on Windows
XP SP2.
A vulnerability has been reported in Google Chrome, which can be exploited by malicious
people to compromise a user's system.
The vulnerability is caused due to an error when handling unspecified HTTP responses. This can
be exploited to cause a buffer overflow via a specially crafted HTTP response received from an
HTTP server.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in versions prior to 2.0.172.33.
62,,5#&$·..
#5Google Chrome is
vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially
crafted response from a server could crash the browser and possibly allow an attacker to run
arbitrary code.
+#
The vulnerability is caused due to an error when processing HTTP responses having a
malformed "Content-Length" header. This can be exploited to cause a heap-based buffer
overflow via an overly large 64-bit "Content-Length" value, having the higher 32-bit part
negative.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is confirmed in version 10.50 for Windows. Other versions may also be
affected.