NOTE: The patch is NOT a Microsoft patch; It has been issued by an
independent third party. Use at your own risk.
Backup and/or run a system restore checkpoint on your systems BEFORE
installing this patch. I have installed it on my system running XP HE and a
fully updated/patched version of IE 6 without any problems...
<quote>
This patch addresses a vulnerability in Microsoft Internet Explorer that
could allow Hackers and con-artists to display a fake URL in the address and
status bars. The vulnerability is caused due to an input validation error,
which can be exploited by including the "%01" and "%00" URL encoded
representations after the username and right before the "@" character in an
URL.
Download patch at:
http://www.openwares.org/index.php?option=com_remository&Itemid=&func=fileinfo&parent=folder&filecatid=17
<end quote>
--
mlvburke@#%&*.net.nz
Replace the obvious with paradise to email me.
See Found Images at:
http://homepages.paradise.net.nz/~mlvburke/
The bugs in the code are:
Provided by 'tester' at the following link:
http://www.openwares.org/index.php?option=com_simpleboard&Itemid=27&func=view&id=38&catid=9
/* memory leak */
char *dest = (char *)malloc(256*sizeof(char));
/* Unicode->ASCII conversion that doesn't do error checking */
WideCharToMultiByte( CP_ACP, 0, BSTR)url->bstrVal, -1, dest, 256, NULL,
NULL );
...
/* vulnerable arrays on the stack */
char sFake[256];
char sTrue[256];
...
/* please overwrite the return address on the stack and execute my shellcode
*/
strcpy(sFake,strstr(dest,"\2" +1);