Hi. One thing to add about IE protected mode and all that stuff: We get shell (in ie protected mode) using ani vulnerability. Go to the IE temporary directory. It must have write access there :) Then we use this: http://www.securityfocus.com/bid/23278 And we have SYSTEM access :) Regards.
On 4/8/07, wac <[EMAIL PROTECTED]> wrote: > Hello: > > Firefox 2.0.0.3 (at least in windows) *seems to be vulnerable*. I don't > remember exactly what it did but it behaved in a strange way I believe some > file handle was left open and had to kill it the hard way. I don't know what > they say in the docs but if it ends up calling the user32 function and > that's all it takes to trigger the bug. I was taking a peek at it's import > tables and It imports from User32 the function LoadCursorA maybe that could > be the guilty one. > > anyway test here and see what happens (that link is from dev code) > > http://sicotik.com/ink/test.html > > I'm not vulnerable anymore since quite some time ;) and I don't have much > time to test right now > > Regards > Waldo > > > On 4/8/07, Michal Majchrowicz <[EMAIL PROTECTED]> wrote: > > Hi. > > There are more and more reports about FF and ani vulnerability. > > There was already a presentation of working exploit. > > The thing starts to annoy me and since I am far away from any windows > > I wanted to share some of my speculations. > > According to docs two things are obvious: > > 1) Firefox doesn't support ANI cursors > > 2) ANI is just few cur cursors packed together and presented as an > animation. > > So i have three possible ways of exploiting it: > > 1) Since ANI files are vulnerable then maybe cur files are also > > vulnerable. Firefox does support CUR files. > > 2) If firefox doesn't support ANI files it only means it doesn't > > render them. It doesn't mean it will not acept them in any way:) > > 3) Maybe it is possible to rename foo.ani and rename it to foo.cur. > > Then FF will call win api with this cursor. Windows API will recognize > > this as ANI file and call vulnerable function . > > As I said before these are just speculation. I hope someone will be > > able to confirm or prove that some of them (or all) have no sense. > > Happy Easter to everyone. > > Regards Michal. > > > > On 4/4/07, Peter Ferrie <[EMAIL PROTECTED]> wrote: > > > >That's correct, Firefox doesn't support ANI files for cursors. > > > > > > Right, and it doesn't need to, because cursors are not the only way to > reach the vulnerable code. > > > Icons can do it, too. > > > > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
