-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That was my inital thought too, however I've heard rumors that you can use a virtual function table to override many of these sanity checks in the Windows.h API. However, If it was just as simple matter of overriding a function table I would expect to have seen some Proof of concept code by now. I expect that there is a way to overload the virtual function table, but I dont think its as trival as some people think it is.
In any event it needs more anyalisis. I've run a debugger agianst IE thru these exploits, There are no real blatent buffer overflows agianst the return adresses. So I'm not sure were to look if there is a vunerability. On August 11, 2003 01:24 pm, Levinson, Karl wrote: > Microsoft stated in the following article concerning a different > vulnerability: > > http://www.microsoft.com/technet/security/bulletin/MS02-015.asp > > "The vulnerability would not enable the attacker to pass any parameters to > the program. Microsoft is not aware of any programs installed by default in > any version of Windows that, when called with no parameters, could be used > to compromise the system." > > I could be wrong, but I would imagine this limitation would also apply to > this Notepad / Wordpad popup issue and prevent it from being anything more > than an annoyance... unless someone was able to, for example, use a > different vulnerability beforehand to inject a new version of notepad.exe, > sort of like the way the Mimail worm used the MS02-015 vulnerability above. > > > -----Original Message----- > From: Stephen Clowater [mailto:[EMAIL PROTECTED] > Sent: Friday, August 08, 2003 11:45 AM > To: Richard M. Smith; [EMAIL PROTECTED] > Subject: [despammed] Re: [Full-Disclosure] Notepad popups in Internet > Explorer and Outlook > > > I've heard people discusses the possibilities of useing this to execute > arbitray code before, however, I've never managed to replicate anyones > findings on this yet, however there has been quite a bit of talk on other > lists in the past, and I've been asked by people to look into it but I cant > seem to find anything ethier > > Supposivly you can use the same flaw to execute arbitrary code, however, > I've been unable to see it replicated yet, so I wouldnt put much stalk into > it. - -- - - ****************************************************************************** Stephen Clowater Now, it we had this sort of thing: yield -a for yield to all traffic yield -t for yield to trucks yield -f for yield to people walking (yield foot) yield -d t* for yield on days starting with t ...you'd have a lot of dead people at intersections, and traffic jams you wouldn't believe... (Discussion in comp.os.linux.misc on the intuitiveness of commands.) The 3 case C++ function to determine the meaning of life: char *meaingOfLife(){ #ifdef _REALITY_ char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ? /dev/null:/dev/random); #endif #ifdef _POLITICALY_CORRECT_ char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom"); #endif #ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_ cout << "Sending Income Data From Hard Drive Now!\n"; System("dd if=/dev/urandom of=/dev/hda"); #endif return Meaning_of_your_life; } ***************************************************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/N+7rcyHa6bMWAzYRAk9eAKCLm0yK/9hs8eYQko06o/RVz9zK6wCdGW/l MTJw6c/+MdcR9aEnFdO3jOY= =wYxU -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
