It seems my English is not as good as I thought and I accidentally led Ryan Naraine <http://blogs.zdnet.com/security/?p=5573>, Larry Seltzer<http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/#comments> and probably others to come to conclusions such as that I released a weaponized 0-day that bypasses both ASLR+DEP in current versions of MSIE and Windows using a completely new technique and that I did so as a Google employee.
However, let me try to explain better and to correct any ambiguity I may have created in my first blog post: - I have recently released an exploit that I developed in 2005 (before I was employed by either MS or Google). - I am releasing this as an individual as part of my new-years resolution<http://skypher.com/index.php/2010/01/02/new-years-resolutions/> to dump random stuff from my harddisk onto the tubes. (I have a personal interest in security outside of my work, every now and then I find enough time to work on and release stuff like this). - The exploit targets a bug that was fixed in 2005<http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php>, that only affected MSIE 6.0 and earlier. - The exploit shows how to implement the well known ret-into-libc technique (using a heap spray) to bypass DEP. - The exploit does not contain anything that is not already public, other than how to implement a ret-into-libc using a heap-spray to exploit complex memory corruption bugs such as the DHTML race condition it targets. - The exploit does not bypass ASLR. - Using ret-into-libc to bypass DEP affects any application that has a vulnerability that allows an attacker to use a ret-into-libc attack - this is not MSIE specific. I hope this helps clarify some things. But, not being a native English speaker, I may inadvertently have said things completely wrong again. I look forward to correcting my mistakes as they show up on other news sites in the future. Cheers, SkyLined Berend-Jan Wever <[email protected]> http://skypher.com/SkyLined On Mon, Mar 1, 2010 at 4:51 PM, Berend-Jan Wever <[email protected]>wrote: > Hey all, > > I released a version of my Internet Exploiter 2 exploit from 2005 that > bypasses DEP. If you are familiar with my Internet Exploiter series of > exploits and/or are interested in how to use heap-spraying to bypass DEP, > you may like this: > http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/ > > Cheers, > SkyLined > <http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/> > Berend-Jan Wever <[email protected]> > http://skypher.com/SkyLined > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
