Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

!Patch for IE input validation error vulnerability...

0 views
Skip to first unread message

Max Burke

unread,
Dec 18, 2003, 9:08:16 PM12/18/03
to
Posted because Microsoft in it's 'wisdom' seems to believe this is not a
critical vulnerability that requires urgent attention, despite the fact that
it's being actively exploited and putting users at risk. There have been
several high profile cases in Australia and New Zealand where this
vulnerability was used to obtain user information from users being
redirected to 'malicious' websites using this vulnerability...

NOTE: The patch is NOT a Microsoft patch; It has been issued by an
independent third party. Use at your own risk.
Backup and/or run a system restore checkpoint on your systems BEFORE
installing this patch. I have installed it on my system running XP HE and a
fully updated/patched version of IE 6 without any problems...

<quote>
This patch addresses a vulnerability in Microsoft Internet Explorer that
could allow Hackers and con-artists to display a fake URL in the address and
status bars. The vulnerability is caused due to an input validation error,
which can be exploited by including the "%01" and "%00" URL encoded
representations after the username and right before the "@" character in an
URL.

Download patch at:
http://www.openwares.org/index.php?option=com_remository&Itemid=&func=fileinfo&parent=folder&filecatid=17
<end quote>

--
mlvburke@#%&*.net.nz
Replace the obvious with paradise to email me.
See Found Images at:
http://homepages.paradise.net.nz/~mlvburke/

Max Burke

unread,
Dec 19, 2003, 3:32:17 AM12/19/03
to
Max Burke scribbled:
Latest recomendation: Dont install it, it has several 'serious' bugs and
triggers AdAware warnings....

The bugs in the code are:
Provided by 'tester' at the following link:
http://www.openwares.org/index.php?option=com_simpleboard&Itemid=27&func=view&id=38&catid=9

/* memory leak */
char *dest = (char *)malloc(256*sizeof(char));

/* Unicode->ASCII conversion that doesn't do error checking */
WideCharToMultiByte( CP_ACP, 0, BSTR)url->bstrVal, -1, dest, 256, NULL,
NULL );
...

/* vulnerable arrays on the stack */
char sFake[256];
char sTrue[256];
...

/* please overwrite the return address on the stack and execute my shellcode
*/
strcpy(sFake,strstr(dest,"\2" +1);

0 new messages