Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Update: Web browsers - a mini-farce (MSIE gives in)

from [Michal Zalewski] Network Security [Permanent Link]
Subject: [Full-Disclosure] Update: Web browsers - a mini-farce (MSIE gives in)
Date: Sat, 23 Oct 2004 01:28:37 +0200 (CEST) 
Firstly, a brief update on the status of reported sample vulnerabilities:

  - mozilla_die1.html: confirmed, fixed in snapshots (DoS most of the time)
  - mozilla_die2.html: confirmed, being worked on (likely exploitable)
  - opera_die1.html: confirmed, being worked on (likely exploitable)
  - lynx_die1.html: confirmed, independent fixes from OpenBSD team (DoS)
  - links_die1.html: no official confirmation, no data (DoS)

I have no data on whether any of the vendors bothered to run my scripts to
find any further problems that are bound to surface.

I have also received reports of crashes caused by mangeme.cgi with the
following browsers:

  - Safari / Konqueror (KHTML engine)
  - elvis
  - elinks (links engine)
  - w3m

Last but not least, MSIE gives in:


  Only MSIE appears to be able to consistently handle [*] malformed
  input well, suggesting this is the only program that underwent
  rudimentary security QA testing with a similar fuzz utility.


To all those who considered my original post to be a great propaganda
ammunition for praising MSIE, bad news - although it did take a longer
while for it to give up - three hours - (impressive by comparison to
competitors), it eventually did:

  http://lcamtuf.coredump.cx/mangleme/gallery/ie_die1.html

Tested on 6.0.2800.1106, dies in mshtml.dll. This is a NULL pointer
dereference, so merely a DoS condition, but still an evident flaw in
basic HTML parsing.

******************************************************************
* This means that VIRTUALLY EVERY BROWSER IN USE TODAY is unable *
* to securely render HTML. Keeping in mind that not only web     *
* browsing, but also integrated e-mail is at risk, it is a grim  *
* thought.                                                       *
******************************************************************

Because I did not ask CERT or NIPC for patronage, did not get 20 CVE
numbers for each variant of each of the issues, nor do I have a
black-on-white webpage with stock graphics, this will likely not generate
any media splash, but I for one consider my findings to be far more
chilling that a wave of tabbed browsing URL spoofing flaws and similar
recent browser issues.

For those interested in doing some of my homework, I've updated the tool,
incorporating several minor changes to its semantics to make it somewhat
more powerful: download http://lcamtuf.coredump.cx/soft/mangleme.tgz for
version 1.2.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-10-23 00:11 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  iDEFENSE Security Advisory XX.XX.04 - Novell SuSe Linux LibTIFF Heap Overflow Vulnerability, customer service mailbox
Next by Date:  Re: [Full-Disclosure] Update: Web browsers - a mini-farce (MSIE gives in), Daniel Veditz
Previous by Thread:  [Full-Disclosure] Web browsers - a mini-farce, Michal Zalewski
Next by Thread:  Re: [Full-Disclosure] Update: Web browsers - a mini-farce (MSIE gives in), Daniel Veditz
Indexes:  [Date] [Thread] [Top] [All Lists]