Re: Internet explorer Vulnerbility

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Internet explorer Vulnerbility
From: Alexander Sotirov <asotirov@xxxxxxxxxxxxx>
Date: Thu, 01 Jun 2006 02:45:23 -0700
In-reply-to: <20060531201201.31200.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060531201201.31200.qmail@xxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.2 (Windows/20060308)

Confirmed on a fully patched Windows XP.

It's a stack overflow in inetconn.dll, but it's most likely not exploitable
because the DLL is compiled with /GS. There are no other interesting variables
to overwrite between the buffer and the return address. Overwriting the
arguments doesn't get us anywhere either.

It would be exploitable on older systems not compiled with /GS, but the code
where the vulnerability is was added in XP SP2.

Alex

References:
- Internet explorer Vulnerbility
  - From: Mr . Niega

Prev by Date: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities
Next by Date: Corsaire Security Advisory - VMware ESX Server Cross Site Scripting issue
Previous by thread: Internet explorer Vulnerbility
Next by thread: RE: Internet explorer Vulnerbility
Index(es):
- Date
- Thread