RE: JPEG Processing BOF Proof Of Concept
That was me. Nearly two years ago to the week :)
http://www.securityfocus.com/archive/82/290856
/snip
-----Original Message-----
From: cassidy macfarlane
Sent: Friday, September 06, 2002 7:57 AM
To: vuln-dev securityfocus com
Subject: old netscape vuln - affecting XP/explorer?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi
I posted this to bugtraq, but was advised to post here..
I d/loaded the old 'crash-netscape.jpg' from secfocus (id 1503,
http://online.securityfocus.com/data/vulnerabilities/exploits/crash-nets
cape.jpg )
Sorry if it wraps
intending to have a play with Mozilla ;). I stuck it into my cygwin
dir on my local HD.
When I browse to this folder using explorer (***Tiles view***),
I get an explorer restart. (all open explorer windows close, but apps
persist)
/snip
Faulting application explorer.exe, version 6.0.2600.0, faulting
module ntdll.dll, version 5.1.2600.0, fault address 0x00003812.
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 36 e 6.0.26
0028: 30 30 2e 30 20 69 6e 20 00.0 in
0030: 6e 74 64 6c 6c 2e 64 6c ntdll.dl
0038: 6c 20 35 2e 31 2e 32 36 l 5.1.26
0040: 30 30 2e 30 20 61 74 20 00.0 at
0048: 6f 66 66 73 65 74 20 30 offset 0
0050: 30 30 30 33 38 31 32 0d 0003812.
0058: 0a .
/end snip
I'm running XP Pro, all hotfixes (apart from todays....MS02-049 and
MS02-050...yawn)
Does anyone else get the same?
Is this exploitable? - I get the same address (0x0003812) every
time...is this adjustable with the header/etc in the dodgy .jpg?
TIA, and apologies if this is known or a misconfiguration.
Cassidy Macfarlane
Group IT
www.tenongroup.com
PGP fingerprint: 31A2 1A52 6CB9 E91C 27D8 9C5C FC40 4FD7 5E96 E1A4
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPXiXUvxAT9deluGkEQIuewCgzZPslfiGX/EbwH3SEPXw2k5MHxsAoIMv
WyrI7Lv3qUtHxGtfbboxOkJB
=sXVg
-----END PGP SIGNATURE-----
/end snip
-----Original Message-----
From: GulfTech Security [mailto:security@xxxxxxxxxxxx]
Sent: 16 September 2004 18:53
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: JPEG Processing BOF Proof Of Concept
About a year ago I came across this same issue. I came across it while
messing with Solar Designer's old Netscape JPEG bug. So, in short the
same
issue applies to WinXP it seems. I showed the bug to a few people (even
contacted Microsoft, but got no reply), but neither them nor myself ever
got
around to figuring it out. Nick DeBaggis and eEye did a good job of
figuring
this very dangerous issue out :)
Anyway, the point to this post is to release the POC I just put together
using the findings that I have been sitting on for quite some time. As I
said before, I never fully understood exactly what was going on, so this
POC
doesn't execute code or anything, but it will crash any WindowsXP
machine
that has not been patched from this flaw.
If you cannot access the attached file, you may download the POC here
http://www.gulftech.org/?node=downloads
BTW: There was a BugTraq (or some other sec mailing list) post from over
a
year ago that talks about the Netscape JPEG issue crashing the WindowsXP
Shell. I remember seeing them when I first started looking into this
issue,
but do not have links right off hand. Maybe someone else reading this
does?