Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Internet Explorer 7 ActiveX bgColor property NULL poin

from [Alexander Sotirov] Network Security [Permanent Link]
Subject: [Full-disclosure] Internet Explorer 7 ActiveX bgColor property NULL pointer dereference (DoS)
Date: Sun, 28 Jan 2007 21:58:42 -0800 
I thought that after the success of MoBB last year, fuzzing browsers will be
pointless, since all vendors would take care of the easily-found bugs before a
release. It turns out that I was wrong. I ran a very simple ActiveX fuzzer
against Vista and found a NULL pointer dereference bug in no time. The
vulnerable ActiveX control is on the pre-approved list in IE7, which makes the
bug easy to trigger with no security warnings and no user interaction.

Try this:

<script language="JavaScript">
    obj = new ActiveXObject("giffile");
    obj.bgColor;
</script>

MSRC said that this is a reliability bug and not a security issue, and it will
be fixed at some point in the future. I agree that DoS bugs against IE are not
very important (as long as skape doesn't drop any more vulns like MS06-051 :-),
but it's interesting that such a simple bug in such an obvious part of the IE7
attack surface was not discovered and fixed before the release.

See the full technical details at
http://www.determina.com/security.research/vulnerabilities/activex-bgcolor.html

More about fuzzers and ActiveX at
http://determina.blogspot.com/2007/01/fuzzing-shouldnt-work.html


Alexander Sotirov
Determina Security Research

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Internet Explorer 7 ActiveX bgColor property NULL pointer dereference (DoS), Alexander Sotirov <=
Previous by Date:  [Full-disclosure] [SECURITY] [DSA 1254-1] New bind9 packages fix denial of service, Moritz Muehlenhoff
Next by Date:  [Full-disclosure] Oracle - Indirect Privilege Escalation and Defeating Virtual Private Databases, David Litchfield
Previous by Thread:  [Full-disclosure] [SECURITY] [DSA 1254-1] New bind9 packages fix denial of service, Moritz Muehlenhoff
Next by Thread:  [Full-disclosure] Oracle - Indirect Privilege Escalation and Defeating Virtual Private Databases, David Litchfield
Indexes:  [Date] [Thread] [Top] [All Lists]