Slashdot Mirror
Exploit Based On Leaked Windows Code Released
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
There apparently is already a fix for this one installed on many machines. It's called IE6.
Do not mod parent down. He's pointing out text found in the article link. That is not flamebait.
bigger than Linux, but there were a lot of people mirroring it and so
it didn't take long.
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS
For example, in win2k/private/inet/mshtml/src/site/download/imgbm
offset. Now all we have to do is create a BMP with bfOffBits > 2^31,
and we're in. cbSkip goes negative and the Read call clobbers the
stack with our data.
See attached for proof of concept. index.html has [img src=1.bmp]
where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
Bring it up in IE5 (tested successfully on Win98) and get
EIP=0x44332211.
IE6 is not vulnerable, so I guess I'll get back to work. My Warhol
worm will have to wait a bit...
PROPS TO the Fort and HAVE IT BE YOU.
Well it's not really the image file running the commands. It's the browser that is loading the image. The browser reads bad image data and gets overwritten.
It's no hoax.
Smells like you shoud read some documentation on buffer overflow techinques. Of course image files cannot run commands, but you can do some nice tricks if the program that is loading the file fails to check where the data is loaded. If the data is bigger than the allocated space, you can garble the stack in some funny way and actually craft a picture that gets to be executed (in some parts at least). Of course, doing something other that crashing the process is NOT easy, but...
That wouldn't work in this case. Overflowing a signed integer so that it wraps around to negative won't be picked up by checking if the value is greater. Using the correct datatype (unsigned int) would have been better.
(in fact, looking at the code snipped in the vulnerability notification, they do check against Offset > size of buffer)
"When I grow up, I want to be a weirdo"
a)The jpeg virus "hoax" was down to IE interpretting a jpeg as a VBS file. That's perfectly normal - if you name a shell script "harmless_image.jpeg", provided the shell sees the #!/usr/bin/shell line, then it's going to see a script and execute it as such.
b)You wouldn't think that an overly long PASS string sent to an ftp server would be able to execute commands - but it can. If you can overflow a buffer and force it to work it's way back up the stack then you could convince mouse gestures to execute commands.
The guy sent mail to securityfocus telling them that there was a hole in windows, he did not spread any virus or use this code malisously. SecurityFocus then published this info, if anyone SecurityFocus is the most liable, though I don't believe either should be.
IIRC early Apple computers actualy had a memory location called "MonkeyLives" or something like that, which was used for a program they called the monkey. The monkey program randomly entered commands and clicks and such for as long as the program was running. The problem was, sometimes it would shutdown the computer (by executing a shutdown, not by crashing it) so they created a memory location that when shutdown was called, it first checked that location to see if the monkey program was running, and would cancel the shutdown if it was.
T Money
World Domination with a plastic spoon since 1984
Come on, who keeps modding this stuff as insightful? It's been beaten to death. Personally I don't agree with the conspiracy theory but that's irrelevant. This was mentioned many times in the first article
8 186 6 149 7 608 6 723 2 805
1 595 0 866 0 862
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
and the follow-up article
http://slashdot.org/comments.pl?sid=96732&cid=827
http://slashdot.org/comments.pl?sid=96732&cid=827
http://slashdot.org/comments.pl?sid=96732&cid=827
No, it doesn't work that way. All the major Linux and BSD distros backport security fixes into older apps that they have released; they do not insist that you upgrade to the next major version. When someone (e.g. Red Hat) drops security coverage for older versions, multiple efforts (Progeny, Fedora Legacy) spring up to fill the gap.
Here's a nice supporting example for you: One of my buddies brought up a machine, got a DHCP response from the wrong place, and got railroaded to some site that looked like it was selling knives, instead of windows update. Turned out it was a page with a DSO exploit in it, and he got owned, had to reinstall the box. (And go track down the bozo advertising bad DNS in his DHCP.) It was ye olde DSO exploit. So someone installing (for whatever reason) something with IE5 can be taken over quite ruthlessly, especially since all you need do is show them an image.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Fair enough. In the future, how about a link to the comment like this?
You should use AdiumX on your Mac.
You could always check out the google Zeitgeist.
:)
http://www.google.com/press/zeitgeist.html
Down in the middle of the page, it shows a graph that depicts MSIE 6.0 to be the dominant browser in nice clear red ink.
Actually, 5.5 appears to be vulnerable. I loaded the BMP and BOOM! it crashed.
Win NT 4.0 Source:a sh=66a26447f563c3dc2336de74ae37dc14d11dd8b9
a sh=f03fc1e04869294d5644d3c8c5d0fb8f2d26aa59
http://torrent.spyderlake.com/download.php?info_h
Win 2000 Source:
http://torrent.spyderlake.com/download.php?info_h
I would (and do) use the Fedora legacy project.
Please read the original post I was responding to, which states:
I'm not going to respond to each response with the same message, so here it is:
The IE situation is the worst. You probably have no choice but to upgrade. In this case you can probably download IE 6 for free, but for other exploits you may have to pay for a newer version of Windows. Hear me, it's the worst.
The open source situation is better. You at least have the source, and at the worst case can go patch it yourself or pay somebody to patch it. Some investment in time or money can enable you to stay with an older version to avoid upgrading.
However, open source doesn't solve all the problems. If there's no volunteer to keep an old version patched, then there's some cost on your part if you don't want to upgrade. Upgrading, on the other hand, contains some risks (which may translate to cost as well). For one, the new features may contain new exploits.
Which is why I wrote that insisting on running Red Hat 5.0 may be expensive, even though it's open source. It's entirely possible (which is good, and better than IE or Windows), because you have source, but it may not be viable, despite having the source.
Somebody brought up Debian. Yes, Debian maintains an excellent stable distribution. However, not even Debian volunteers patch every old version. At some point, "testing" becomes "stable" and the old "stable" will be left to rot. If you insist on running the old one, then your personal TCO will increase significantly.
And now the obvious conclusion: not even open source can make not upgrading a viable option forever. At some point (obviously at different points for Windows compared to Red Hat Linux) it's cheaper to upgrade. That's all I'm saying.
This is completely off topic from the parent post. But THE LINKED ARTICLE CONTAINS SOURCE CODE FOR WINDOWS.
The Slashdot editors should remove the link immediately. Its really dangerous to have on the front page of this site.