|
Hello, just in case you haven't seen this one... Last year I found a Buffer Overflow in Microsoft's .Net SDK ILDASM tool which I reported privately to MSRC and eventually (after Microsoft's response) publicly to the (low profile) Owasp-dotnet mailing list. I was waiting for Microsoft to publicly post something about this (although they are not going to fix it in the near future, they should at least make their customers aware of the issue), but since they don't seem willing to do it, here is a copy of the email I sent to the Owasp-dotnet mailing list on 14th December 2005: "I just posted to this forum (Owasp .Net » Forums » .Net Security) a series of posts that existed in a private forum of www.owasp.net (used for issues like this (i.e. we want the information to be shared amongst selected Owasp.Net users but don't want it to be publicly disclosed (yet))) about a vulnerability that me and Kerem discovered on ILASM and ILDASM:
So be careful when you ILDASM something. I also think that this issue needs further research since when we were testing the Overflows we were finding them in several places in ILASM and ILDASM (which means that there are probably many more variations still to be discovered/mapped) Dinis Cruz Owasp .Net Project Leader www.owasp.net " |
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
