Hello, >Now all we have to do is create a BMP with bfOffBits > 2^31, >and we're in. cbSkip goes negative and the Read call clobbers >the stack with our data. See attached for proof of concept. > >index.html has [img src=1.bmp] where 1.bmp contains >bfOffBits=0xEEEEEEEE plus 4k of 0x44332211. >Brings down IE5 / OE5 (tested successfully on Win98)
Kaspersky Lab's AVP (and possibly other vendors') antivirus suites now detect the presence of this method in files by the name "Suspicion: Exploit.IMG-BMP". So any future worm or virus that tries to use this attack vector to inject itself automatically should be stopped from the very first minute. Even if it is a brand new malware. Sincerely: Tamas Feher. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
