Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote: saying I would have spent a little more time getting mad at them and sent a lot more emails back to them before posting this. so do it - sent a lot of mails to them before posting this. nobody stops you from sending mails to them instead of posting this. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Susan, this is what is called full disclosure, and my response was relevant. I will not answer anymore uninformed questions on this topic. Thanks, Tavis. On Thu, Jun 10, 2010 at 09:02:37AM -0700, Susan Bradley wrote: I'm not asking about disclosure. I'm asking what happened to the level of communication between you and MSRC that after 4 days you posted this? Tavis Ormandy wrote: Susan, I wish I had the time to hold your hand through getting up to speed on the disclosure debate. Instead, I would suggest starting with the links in my advisory which were intended to give you enough background to understand the issues involved (skip to the Notes section, if you like). As I cannot hope to speak as eloquently on the topic as Bruce, I will not attempt to repeat them for you here. If after researching the topic you still have questions, please let me know. Thanks, Tavis. On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote: I'm not an enterprise customer, but I am a mouthy female. So here's my question back to you, for my education, how exactly did MSRC contact you back? Since June 5th have you tried emailing back or any of your contacts from past interactions and asked what was up? I'm disappointed in this lack of communication I see on both sides. You are ...well... Tavis Ormandy... I seriously doubt MSRC is blowing you off here. Keep in mind we just had a LARGE patch week to deal with. I don't know what was going on on their side, nor making excuses as I don't know what communication you've had in the past and had on this issue ... I'm just saying I would have spent a little more time getting mad at them and sent a lot more emails back to them before posting this. (And try dealing with Microsoft licensing sometime if you think security communication is lacking) -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Thu, Jun 10, 2010 at 12:18 PM, Susan Bradley sbrad...@pacbell.netwrote: Nope Mr. Live, other than dealing with .NET updates and a 982331 that keeps wanting to have UAC turned off on some Win7/Vistas to get installed, this is just my normal calm, try to also consider the consumers and patchers viewpoint person today. musnt live wrote: On Thu, Jun 10, 2010 at 11:36 AM, Susan Bradley sbrad...@pacbell.netmailto: sbrad...@pacbell.net wrote: I'm not an enterprise customer, but I am a mouthy female. Hello Full Disclosure, I'd like to warn you about PMS! Hello Full Disclosure, please forgive for me my premature mail. What is I meant to now say is, I would like to warn you about Denial: http://en.wikipedia.org/wiki/Denial Denial is a defense mechanism postulated by Sigmund Freud, in which a person is faced with a fact that is too uncomfortable to accept and rejects it instead, insisting that it is not true despite what may be overwhelming evidence. I once had denial from vulnerable company I will release in the future: targetFile = C:\NOFREEBUGNAMES.ocx prototype = Invoke_Unknown LayoutURL As String memberName = LayoutURL progid = no.free.bugs argCount = 1 arg1=String(4116, A) target.LayoutURL = arg1 0:000 !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xdeadbabe First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC005) Exception Sub-Type: Read Access Violation Faulting Instruction: call dword ptr [ecx] Exception Hash (Major/Minor): 0x237f6e51.0x456c465d Stack Trace: nomore!CBaseBSCB::KickOffDownload+0x82 nomore!URLOpenStreamW+0x41 nomore!URLOpenStreamA+0x94 freebugs!DllUnregisterServer+0x5974 freebugs!BufferComparator::operator=+0x497a freebugs!msgi_lookup+0x46e61 freebugs!msgi_lookup+0x4f705 vbscript!IDispatchInvoke2+0xb2 vbscript!IDispatchInvoke+0x59 vbscript!InvokeDispatch+0x13c vbscript!InvokeByName+0x43 vbscript!CScriptRuntime::RunNoEH+0x1158 vbscript!CScriptRuntime::Run+0x64 vbscript!CScriptEntryPoint::Call+0x51 vbscript!CSession::Execute+0xc8 vbscript!COleScript::ExecutePendingScripts+0x146 vbscript!COleScript::SetScriptState+0x14d scrobj!ScriptEngine::Activate+0x1a scrobj!ComScriptlet::Inner::StartEngines+0x6e scrobj!ComScriptlet::Inner::Init+0x156 scrobj!ComScriptlet::New+0x3f scrobj!ComScriptletConstructor::CreateScriptletFromNode+0x26 scrobj!ComScriptletConstructor::Create+0x4c wscript!CHost::RunXMLScript+0x277 wscript!CHost::Execute+0x1cb wscript!CHost::Main+0x38b wscript!StringCchPrintfA+0xc3f wscript!WinMain+0x18b wscript!WinMainCRTStartup+0x5d kernel32!BaseThreadInitThunk+0xe ntdll!__RtlUserThreadStart+0x70 ntdll!_RtlUserThreadStart+0x1b Instruction Address: 0x Description: Read Access Violation on Control Flow Short Description: ReadAVonControlFlow Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Read Access Violation on Control Flow starting at nomore!CBaseBSCB::KickOffDownload+0x0082 (Hash=0x237f6e51.0x456c465d) This bug too exploitable is as is my engrish. Starting bid affects all Windows versions and server remotely. Starting bid $50,000.00 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Thu, Jun 10, 2010 at 12:59 PM, Christian Sciberras uuf6...@gmail.comwrote: Susan, if you want my advise, don't even bother with Mr Live. Cheers. Hello Full Disclosure, I will now speak to you about chauvinism. For starters here Mrs. Susan chose to call me Mr. not knowing the identity of this mine gender followed by this woman named Christian. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Thu, Jun 10, 2010 at 07:02:03PM +0200, Thomas Kristensen wrote: Tavis, Nice find, but during our analysis we discovered that your hotfix unfortunately is inadequate. For more information see: http://secunia.com/blog/103/ Patches are, of course, welcome. Thanks, Tavis. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Thu, Jun 10, 2010 at 07:21:48PM +0200, Tavis Ormandy wrote: On Thu, Jun 10, 2010 at 07:02:03PM +0200, Thomas Kristensen wrote: Tavis, Nice find, but during our analysis we discovered that your hotfix unfortunately is inadequate. For more information see: http://secunia.com/blog/103/ Patches are, of course, welcome. Thanks, Tavis. Thomas, on some examination, your theory looks accurate, good catch :-) This doesnt seem unsurmountable, but I'm reluctant to update the patch which was only intended as a last resort. I'll work on some ideas to address this. If you have any thoughts, please let me know. Thanks, Tavis. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Hey just wanted to say that my default installation of Windows 7 doesnt seem vulnerable~no hcp protocol handler. Just thought some people would like to take note :) - Original Message From: Tavis Ormandy tav...@cmpxchg8b.com To: full-disclosure@lists.grok.org.uk Cc: bugt...@securityfocus.com Sent: Wed, June 9, 2010 4:46:21 PM Subject: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Help and Support Centre is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme hcp, a typical example is provided in the Windows XP Command Line Reference, available at http://technet.microsoft.com/en-us/library/bb490918.aspx. Using hcp:// URLs is intended to be safe, as when invoked via the registered protocol handler the command line parameter /fromhcp is passed to the help centre application. This flag switches the help centre into a restricted mode, which will only permit a whitelisted set of help documents and parameters. This design, introduced in SP2, is reasonably sound. A whitelist of trusted documents is a safe way of allowing interaction with the documentation from less-trusted sources. Unfortunately, an implementation error in the whitelist allows it to be evaded. URLs are normalised and unescaped prior to validation using MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL escape sequences into their original characters, the relevant code from helpctr.exe 5.1.2600.5512 (latest at time of writing) is below. .text:0106684C Unescape: .text:0106684Ccmp di, '%' ; di contains the current wchar in the input URL. .text:01066850jnz short LiteralChar; if this is not a '%', it must be a literal character. .text:01066852pushesi ; esi contains a pointer to the current position in URL to unescape. .text:01066853callds:wcslen; find the remaining length. .text:01066859cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits. .text:0106685Dpop ecx ; this sequence calculates the number of wchars needed (4 or 2). .text:0106685Esetzcl ; i.e. %u (four needed), or %XX (two needed). .text:01066861mov dl, cl .text:01066863neg dl .text:01066865sbb edx, edx .text:01066867and edx, 3 .text:0106686Ainc edx .text:0106686Binc edx .text:0106686Ccmp eax, edx ; test if I have enough characters in input to decode. .text:0106686Ejl short LiteralChar; if not enough, this '%' is considered literal. .text:01066870testcl, cl .text:01066872movzx eax, word ptr [esi+2] .text:01066876pusheax .text:01066877jz short NotUnicode .text:01066879callHexToNum ; call MPC::HexToNum() to convert this nibble (4 bits) to an integer. .text:0106687Emov edi, eax ; edi contains the running total of the value of this escape sequence. .text:01066880movzx eax, word ptr [esi+4] .text:01066884pusheax .text:01066885shl edi, 4 ; shift edi left 4 positions to make room for the next digit, i.e. total = 4; .text:01066888callHexToNum .text:0106688Dor edi, eax ; or the next value into the 4-bit gap, i.e. total |= val. .text:0106688Fmovzx eax, word ptr [esi+6]; this process continues for the remaining wchars. .text:01066893pusheax .text:01066894shl edi, 4 .text:01066897callHexToNum .text:0106689Cor edi, eax .text:0106689Emovzx eax, word ptr [esi+8] .text:010668A2pusheax .text:010668A3shl edi, 4 .text:010668A6callHexToNum .text:010668ABor edi, eax .text:010668ADadd esi, 0Ah ; account for number of bytes (not chars) consumed by the escape. .text:010668B0jmp short FinishedEscape .text:010668B2 .text:010668B2 NotUnicode: .text:010668B2callHexToNum ; this is the same code, but for non-unicode sequences (e.g. %41, instead of %u0041) .text:010668B7mov edi, eax .text:010668B9movzx eax, word ptr [esi] .text:010668BCpusheax .text:010668BDcallHexToNum .text:010668C2shl eax, 4 .text:010668C5or edi, eax .text:010668C7add esi, 4 ; account for number of bytes (not chars) consumed by the escape. .text:010668CA
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Hello list, The included POC seems to work fine with IE7 or IE8 installed, however I am not able to run any javascript code on a clean XP SP2 with IE6. Does that mean that you require a newer browser to use the defer trick?, is machines with IE6 for a change unaffected? I see that Tavis says assuming a recent IE but later down he says Machines running version of IE less than 8 are, as usual, in even more trouble. Does anyone care to clarify? Regards, Giorgio Sardo _ Sign up for a 6mb FREE email from http://www.spl.at Take a look at our new message boards! http://chat.spl.at ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
In my humble opinion, he could have waited a couple more days just in case Microsoft decided to do the unprecedented. In which case, I progressive change of policies at Microsoft are better than a couple of users getting hacked from pron sites... Cheers. On Thu, Jun 10, 2010 at 8:20 PM, Benjamin Franz jfr...@freerun.com wrote: On 06/10/2010 09:26 AM, Susan Bradley wrote: You commented that Microsoft needs to address a communication problem. It's irrelevant to the full disclosure issue in my mind. I'd honestly like to know if there is a break down in communication at the MSRC that needs to be addressed. It appears there is one? No. He didn't. What he said was: Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports. That sounds like he is suggesting that companies put pressure on Microsoft to invest more resources in external security reports to me. Microsoft has historically been exceedingly slow to address any reported vulnerabilities *except when people light a fire under them by publishing exploits*. Anything less typically takes months to years to fix. Even publicly shaming Microsoft isn't always enough. There are known, serious, published vulnerabilities that Microsoft didn't fix for *years*. I personally found and publicized one of them in 1998 - which *8 years later* was still not fixed URL:http://en.wikipedia.org/wiki/Cross-site_cooking It isn't about *communication*, it's about Microsoft treating external reports seriously and *taking action in a timely way - even if they don't have an 'exploit in hand'*. Tavis indicated he suspects that the 'black hats' already know about this particular exploit (IOW he thinks it is a '0-day' exploit already loose in the wild). So who, exactly, would be protected by his *NOT* publishing it? End users? They are probably already being exploited by it. -- Benjamin Franz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Consequently, in my humble opinion I think there should be less focus on the emotional interaction between Microsoft and Travis' findings. Of course it's easy for me to assert this; when I wake up in the morning I don't have the same challenges of wading through a soup of emotional fog and displacing the priority of actual vulnerabilities in favor of emotional interaction with Microsoft. While it's fun to be a Microsoft apologist, and even more fun to be ruled by emotion, I would be ashamed to have published what Susan did. Even more shaming is the call to arms which you so eagerly answered only to appear as foolish as Susan herself. It's hard to tell who the trolls are, perhaps Susan is indeed a troll, and decided to fork the conversation about actual vulnerabilities and security events and derail them by introducing drivel about interacting with Microsoft. I believe this may be one of the disadvantages of an unmoderated list, perhaps it encourages or enables others to treat it like a social networking site. Date: Fri, 11 Jun 2010 11:40:55 +0200 From: uuf6...@gmail.com To: jfr...@freerun.com CC: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com Subject: Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly In my humble opinion, he could have waited a couple more days just in case Microsoft decided to do the unprecedented. In which case, I progressive change of policies at Microsoft are better than a couple of users getting hacked from pron sites... Cheers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Thu, Jun 10, 2010 at 12:16 PM, Tavis Ormandy tav...@cmpxchg8b.com wrote: I will not answer anymore uninformed questions on this topic. Riddle me this Tavis. For why not responsible disclosure you put millions of Microsoft customers at risk. Hello list, I'd like to warn you about reckless disclosure. Imagine if you will a car maker say Toyota. Owner of Toyota know of vulnerability that when drive car, car go fast. Its a security risk. Imagine what happen when driver go to Toyota: Hey Chinky Car Maker Is You Car Go Fast Vroom Vroom and can kill someone!*%$! Car maker think fast with risk assessment: 1) Does the public know? a) No they not know - recall not necessary we spend money on recall b) No public not fully aware - somewhat aware - we bribe those aware c) Public know - we now look like fool - damage reputation of Tavis who reported risk List, I'd like to warn you about Microsoft politics for disclosure. True politics people who not report security do not see in real world perspective. 2010-05-07 - Mustnlive contact Microsoft for 0day which take over MSN Messenger with a single message need point of contact 2010-05-08 - Microsoft Security Response center reply: Hello, Thank you for this report. How would an attacker get the code onto a victim system? Best Regards, (Name remove to protect lowly customer service monkey) 2010-05-08 Mustnlive reply: Hi, No you no understand, I send you message on you MSN and you MSN run my code like it or not. Here is my PoC. Inshallah! 2010-05-10 MSRC reply: Hello, ActiveX are considered unsafe filetypes in Windows and other Microsoft products. The MSRC does not open cases on file types that are designed to run code and considered unsafe. If you find that there is a vector to reproduce the issue that does not require the execution of an unsafe file type please reply with details. Best Regards, (Name remove to protect lowly customer service monkey) 2010-05-10 Musntlive scratch head and think: You make ActiveX you MSRC monkey! 2010-05-11 Musntlive move up the MSRC foodchain Blackhat ShmooFoo style to open a can of whoop ass: Hi, My colleague (name remove to protect super cool MS fellow) let me know that you reached out to him on this issue. If you have additional information on this issue sec...@microsoft.com is the appropriate contact for it. Have you been able to reproduce the issue without leveraging an unsafe file type? or through a remote vector? Best Regards, (name remove to protect innocent MSRC monkey) 2010-05-10 Musntlive scratch head again and think: You stupid MSRC monkey! Do you not see the code! Do you not see I pwn all is your system?! 2010-06-01 Musntlive make exploit live weapon of IM destruction and test test retest test test 2010-06-05 Mustnlive test on unsuspecting hot woman. Send message, instant camera control via MSN (latest version on Vista, 7, XP) 2010-06-10 Mustnlive semidiscloses weapon of IM destruction 2010-06-10 Musntlive offer IM weapon he call Yudayajin Kuma for sale on black market beginning bid $10,000.00 You see Susan and other non hacker monkeys, companies do not care for fix issue they is care for covering their bungerholes. I applaud Tavis, wish people would know the process to report bug and runaround companies give researchers who try to report problems. No Full Disclosure, no more free bugs. Companies is not care to fix things that are not in the spotlight. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On 06/11/2010 02:40 AM, Christian Sciberras wrote: In my humble opinion, he could have waited a couple more days just in case Microsoft decided to do the unprecedented. In which case, I progressive change of policies at Microsoft are better than a couple of users getting hacked from pron sites... As I said: Travis indicated in his original post he believes the exploit *was already being used in the wild*. So NOT releasing it wouldn't protect users. It would just keep it secret from everyone except Microsoft *and the black hats who were already using it*. While maintaining a false air of intact security for everyone else. That is better, how? -- Benjamin Franz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
because when she gets 0wn3d she can be all like 'ruh roh, well, 0day can happen to anyone' On Fri, Jun 11, 2010 at 4:01 PM, Benjamin Franz jfr...@freerun.com wrote: On 06/11/2010 02:40 AM, Christian Sciberras wrote: In my humble opinion, he could have waited a couple more days just in case Microsoft decided to do the unprecedented. In which case, I progressive change of policies at Microsoft are better than a couple of users getting hacked from pron sites... As I said: Travis indicated in his original post he believes the exploit *was already being used in the wild*. So NOT releasing it wouldn't protect users. It would just keep it secret from everyone except Microsoft *and the black hats who were already using it*. While maintaining a false air of intact security for everyone else. That is better, how? -- Benjamin Franz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
It's a good thing I ran that anti-hacker script!!! On Fri, Jun 11, 2010 at 11:28 AM, Benji m...@b3nji.com wrote: because when she gets 0wn3d she can be all like 'ruh roh, well, 0day can happen to anyone' On Fri, Jun 11, 2010 at 4:01 PM, Benjamin Franz jfr...@freerun.com wrote: On 06/11/2010 02:40 AM, Christian Sciberras wrote: In my humble opinion, he could have waited a couple more days just in case Microsoft decided to do the unprecedented. In which case, I progressive change of policies at Microsoft are better than a couple of users getting hacked from pron sites... As I said: Travis indicated in his original post he believes the exploit *was already being used in the wild*. So NOT releasing it wouldn't protect users. It would just keep it secret from everyone except Microsoft *and the black hats who were already using it*. While maintaining a false air of intact security for everyone else. That is better, how? -- Benjamin Franz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Fri, Jun 11, 2010 at 11:28 AM, Benji m...@b3nji.com wrote: because when she gets 0wn3d she can be all like 'ruh roh, well, 0day can happen to anyone' Hello list. I'd like to warn you about Susan Bradley. I've seen her pictures and for its you must be desperate to want to own her. http://www.smbnation.com/Portals/0/speakers/speaker_susan-bradley.jpg Ms. Bradley, I'd like to warn you about getting owned: http://www.nogeekleftbehind.com/images/WebcastWindows7CrystalMethforGeeks_8EB4/image.png Would not last a day for if around my neck of the sand Ms. Bradley is nothing more than a big mouth trying to make a name for herself. Nothing more than an MS cheerleader. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Fri, Jun 11, 2010 at 12:03 PM, T Biehn tbi...@gmail.com wrote: It's a good thing I ran that anti-hacker script!!! It's a good thing there is to be a local bomb squad near me. http://www.cbc.ca/world/story/2005/06/13/canadian-bomb050613.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Totally, I'd work on getting a dog too. On Jun 11, 2010 12:20 PM, musnt live musntl...@gmail.com wrote: On Fri, Jun 11, 2010 at 12:03 PM, T Biehn tbi...@gmail.com wrote: It's a good thing I ran that a... It's a good thing there is to be a local bomb squad near me. http://www.cbc.ca/world/story/2005/06/13/canadian-bomb050613.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Fri, Jun 11, 2010 at 1:06 PM, T Biehn tbi...@gmail.com wrote: Totally, I'd work on getting a dog too. On Jun 11, 2010 12:20 PM, musnt live musntl...@gmail.com wrote: On Fri, Jun 11, 2010 at 12:03 PM, T Biehn tbi...@gmail.com wrote: It's a good thing I ran that a... It's a good thing there is to be a local bomb squad near me. http://www.cbc.ca/world/story/2005/06/13/canadian-bomb050613.html Is Annette (your mom) available? A call to her could always have her be answer for herself: Annette Biehn (former known to be Annette Penney) 3395 Gail Circle Doylestown, PA 18901 (215) 794-9220 Or maybe so your dad Brant to be upset ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Fri, Jun 11, 2010 at 1:43 PM, T Biehn tbi...@gmail.com wrote: Maybe you can call twice and get both of them really upset? Maybe I will. Would she let me sit on her bed? http://images.realogyfg.com/j/2/5/15907460/62A47ADD-C353-4F73-94FB-742937D88A0B-6.jpg Oh n00z all this information for on this little wannabe unabummer. Go play now with some explosives and fux0r yourself before I is posting your family's SS CC #'s rookie ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
On Fri, Jun 11, 2010 at 1:53 PM, T Biehn tbi...@gmail.com wrote: So far so good. You've been able to go from t biehn - Travis Biehn - Bomber Article (parent's names, city, state, country) - whitepages.com (Address and Phone number) - (not clear on your jump here, did you google their name or for the address?) Real estate listings. Now to pull the SS and CC #'s you're going to have to go the extra mile. I'd enjoy seeing you pull our SS numbers, being that we're all Canadians. That is right. Canadians living in Pennsylvannia. Was it not: You hated being in America the reason? Was your dad not making enough at Merck he went to work at Dynavax? Did his Zostavax product not cure your mom from herpes? Shall we email him to ask? bbi...@dvax.com indeed no for is that to be rude. Run along now little one explosives await you. And I must for to warn you! I too do not like America therefore if is you not like it then leave I must be sure that no Americans will miss you Travis ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
So far so good. You've been able to go from t biehn - Travis Biehn - Bomber Article (parent's names, city, state, country) - whitepages.com (Address and Phone number) - (not clear on your jump here, did you google their name or for the address?) Real estate listings. Now to pull the SS and CC #'s you're going to have to go the extra mile. I'd enjoy seeing you pull our SS numbers, being that we're all Canadians. -Travis On Fri, Jun 11, 2010 at 1:50 PM, musnt live musntl...@gmail.com wrote: On Fri, Jun 11, 2010 at 1:43 PM, T Biehn tbi...@gmail.com wrote: Maybe you can call twice and get both of them really upset? Maybe I will. Would she let me sit on her bed? http://images.realogyfg.com/j/2/5/15907460/62A47ADD-C353-4F73-94FB-742937D88A0B-6.jpg Oh n00z all this information for on this little wannabe unabummer. Go play now with some explosives and fux0r yourself before I is posting your family's SS CC #'s rookie -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
You're just jealous I had the intuition to protect myself. Sent from my iPhone On 11 Jun 2010, at 17:03, T Biehn tbi...@gmail.com wrote: It's a good thing I ran that anti-hacker script!!! On Fri, Jun 11, 2010 at 11:28 AM, Benji m...@b3nji.com wrote: because when she gets 0wn3d she can be all like 'ruh roh, well, 0day can happen to anyone' On Fri, Jun 11, 2010 at 4:01 PM, Benjamin Franz jfr...@freerun.com wrote: On 06/11/2010 02:40 AM, Christian Sciberras wrote: In my humble opinion, he could have waited a couple more days just in case Microsoft decided to do the unprecedented. In which case, I progressive change of policies at Microsoft are better than a couple of users getting hacked from pron sites... As I said: Travis indicated in his original post he believes the exploit *was already being used in the wild*. So NOT releasing it wouldn't protect users. It would just keep it secret from everyone except Microsoft *and the black hats who were already using it*. While maintaining a false air of intact security for everyone else. That is better, how? -- Benjamin Franz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
I'm not an enterprise customer, but I am a mouthy female. So here's my question back to you, for my education, how exactly did MSRC contact you back? Since June 5th have you tried emailing back or any of your contacts from past interactions and asked what was up? I'm disappointed in this lack of communication I see on both sides. You are ...well... Tavis Ormandy... I seriously doubt MSRC is blowing you off here. Keep in mind we just had a LARGE patch week to deal with. I don't know what was going on on their side, nor making excuses as I don't know what communication you've had in the past and had on this issue ... I'm just saying I would have spent a little more time getting mad at them and sent a lot more emails back to them before posting this. (And try dealing with Microsoft licensing sometime if you think security communication is lacking) Tavis Ormandy wrote: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Help and Support Centre is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme hcp, a typical example is provided in the Windows XP Command Line Reference, available at http://technet.microsoft.com/en-us/library/bb490918.aspx. Using hcp:// URLs is intended to be safe, as when invoked via the registered protocol handler the command line parameter /fromhcp is passed to the help centre application. This flag switches the help centre into a restricted mode, which will only permit a whitelisted set of help documents and parameters. This design, introduced in SP2, is reasonably sound. A whitelist of trusted documents is a safe way of allowing interaction with the documentation from less-trusted sources. Unfortunately, an implementation error in the whitelist allows it to be evaded. URLs are normalised and unescaped prior to validation using MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL escape sequences into their original characters, the relevant code from helpctr.exe 5.1.2600.5512 (latest at time of writing) is below. .text:0106684C Unescape: .text:0106684Ccmp di, '%' ; di contains the current wchar in the input URL. .text:01066850jnz short LiteralChar; if this is not a '%', it must be a literal character. .text:01066852pushesi ; esi contains a pointer to the current position in URL to unescape. .text:01066853callds:wcslen; find the remaining length. .text:01066859cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits. .text:0106685Dpop ecx ; this sequence calculates the number of wchars needed (4 or 2). .text:0106685Esetzcl ; i.e. %u (four needed), or %XX (two needed). .text:01066861mov dl, cl .text:01066863neg dl .text:01066865sbb edx, edx .text:01066867and edx, 3 .text:0106686Ainc edx .text:0106686Binc edx .text:0106686Ccmp eax, edx ; test if I have enough characters in input to decode. .text:0106686Ejl short LiteralChar; if not enough, this '%' is considered literal. .text:01066870testcl, cl .text:01066872movzx eax, word ptr [esi+2] .text:01066876pusheax .text:01066877jz short NotUnicode .text:01066879callHexToNum ; call MPC::HexToNum() to convert this nibble (4 bits) to an integer. .text:0106687Emov edi, eax ; edi contains the running total of the value of this escape sequence. .text:01066880movzx eax, word ptr [esi+4] .text:01066884pusheax .text:01066885shl edi, 4 ; shift edi left 4 positions to make room for the next digit, i.e. total = 4; .text:01066888callHexToNum .text:0106688Dor edi, eax ; or the next value into the 4-bit gap, i.e. total |= val. .text:0106688Fmovzx eax, word ptr [esi+6]; this process continues for the remaining wchars. .text:01066893pusheax .text:01066894shl edi, 4 .text:01066897callHexToNum .text:0106689Cor edi, eax .text:0106689Emovzx eax, word ptr [esi+8] .text:010668A2pusheax .text:010668A3shl edi, 4 .text:010668A6callHexToNum .text:010668ABor edi, eax .text:010668ADadd esi, 0Ah ; account for number of bytes (not chars) consumed by the escape. .text:010668B0jmp short FinishedEscape .text:010668B2 .text:010668B2
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
I'm not asking about disclosure. I'm asking what happened to the level of communication between you and MSRC that after 4 days you posted this? Tavis Ormandy wrote: Susan, I wish I had the time to hold your hand through getting up to speed on the disclosure debate. Instead, I would suggest starting with the links in my advisory which were intended to give you enough background to understand the issues involved (skip to the Notes section, if you like). As I cannot hope to speak as eloquently on the topic as Bruce, I will not attempt to repeat them for you here. If after researching the topic you still have questions, please let me know. Thanks, Tavis. On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote: I'm not an enterprise customer, but I am a mouthy female. So here's my question back to you, for my education, how exactly did MSRC contact you back? Since June 5th have you tried emailing back or any of your contacts from past interactions and asked what was up? I'm disappointed in this lack of communication I see on both sides. You are ...well... Tavis Ormandy... I seriously doubt MSRC is blowing you off here. Keep in mind we just had a LARGE patch week to deal with. I don't know what was going on on their side, nor making excuses as I don't know what communication you've had in the past and had on this issue ... I'm just saying I would have spent a little more time getting mad at them and sent a lot more emails back to them before posting this. (And try dealing with Microsoft licensing sometime if you think security communication is lacking) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Nope Mr. Live, other than dealing with .NET updates and a 982331 that keeps wanting to have UAC turned off on some Win7/Vistas to get installed, this is just my normal calm, try to also consider the consumers and patchers viewpoint person today. musnt live wrote: On Thu, Jun 10, 2010 at 11:36 AM, Susan Bradley sbrad...@pacbell.net mailto:sbrad...@pacbell.net wrote: I'm not an enterprise customer, but I am a mouthy female. Hello Full Disclosure, I'd like to warn you about PMS! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
You commented that Microsoft needs to address a communication problem. It's irrelevant to the full disclosure issue in my mind. I'd honestly like to know if there is a break down in communication at the MSRC that needs to be addressed. It appears there is one? Tavis Ormandy wrote: Susan, this is what is called full disclosure, and my response was relevant. I will not answer anymore uninformed questions on this topic. Thanks, Tavis. On Thu, Jun 10, 2010 at 09:02:37AM -0700, Susan Bradley wrote: I'm not asking about disclosure. I'm asking what happened to the level of communication between you and MSRC that after 4 days you posted this? Tavis Ormandy wrote: Susan, I wish I had the time to hold your hand through getting up to speed on the disclosure debate. Instead, I would suggest starting with the links in my advisory which were intended to give you enough background to understand the issues involved (skip to the Notes section, if you like). As I cannot hope to speak as eloquently on the topic as Bruce, I will not attempt to repeat them for you here. If after researching the topic you still have questions, please let me know. Thanks, Tavis. On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote: I'm not an enterprise customer, but I am a mouthy female. So here's my question back to you, for my education, how exactly did MSRC contact you back? Since June 5th have you tried emailing back or any of your contacts from past interactions and asked what was up? I'm disappointed in this lack of communication I see on both sides. You are ...well... Tavis Ormandy... I seriously doubt MSRC is blowing you off here. Keep in mind we just had a LARGE patch week to deal with. I don't know what was going on on their side, nor making excuses as I don't know what communication you've had in the past and had on this issue ... I'm just saying I would have spent a little more time getting mad at them and sent a lot more emails back to them before posting this. (And try dealing with Microsoft licensing sometime if you think security communication is lacking) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Susan, if you want my advise, don't even bother with Mr Live. Cheers. On Thu, Jun 10, 2010 at 6:26 PM, Susan Bradley sbrad...@pacbell.net wrote: You commented that Microsoft needs to address a communication problem. It's irrelevant to the full disclosure issue in my mind. I'd honestly like to know if there is a break down in communication at the MSRC that needs to be addressed. It appears there is one? Tavis Ormandy wrote: Susan, this is what is called full disclosure, and my response was relevant. I will not answer anymore uninformed questions on this topic. Thanks, Tavis. On Thu, Jun 10, 2010 at 09:02:37AM -0700, Susan Bradley wrote: I'm not asking about disclosure. I'm asking what happened to the level of communication between you and MSRC that after 4 days you posted this? Tavis Ormandy wrote: Susan, I wish I had the time to hold your hand through getting up to speed on the disclosure debate. Instead, I would suggest starting with the links in my advisory which were intended to give you enough background to understand the issues involved (skip to the Notes section, if you like). As I cannot hope to speak as eloquently on the topic as Bruce, I will not attempt to repeat them for you here. If after researching the topic you still have questions, please let me know. Thanks, Tavis. On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote: I'm not an enterprise customer, but I am a mouthy female. So here's my question back to you, for my education, how exactly did MSRC contact you back? Since June 5th have you tried emailing back or any of your contacts from past interactions and asked what was up? I'm disappointed in this lack of communication I see on both sides. You are ...well... Tavis Ormandy... I seriously doubt MSRC is blowing you off here. Keep in mind we just had a LARGE patch week to deal with. I don't know what was going on on their side, nor making excuses as I don't know what communication you've had in the past and had on this issue ... I'm just saying I would have spent a little more time getting mad at them and sent a lot more emails back to them before posting this. (And try dealing with Microsoft licensing sometime if you think security communication is lacking) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Tavis, Nice find, but during our analysis we discovered that your hotfix unfortunately is inadequate. For more information see: http://secunia.com/blog/103/ Removing the HCP URI handler seems like the only proper workaround as of now. /Thomas On Thu, 2010-06-10 at 01:46 +0200, Tavis Ormandy wrote: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Help and Support Centre is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme hcp, a typical example is provided in the Windows XP Command Line Reference, available at http://technet.microsoft.com/en-us/library/bb490918.aspx. Using hcp:// URLs is intended to be safe, as when invoked via the registered protocol handler the command line parameter /fromhcp is passed to the help centre application. This flag switches the help centre into a restricted mode, which will only permit a whitelisted set of help documents and parameters. This design, introduced in SP2, is reasonably sound. A whitelist of trusted documents is a safe way of allowing interaction with the documentation from less-trusted sources. Unfortunately, an implementation error in the whitelist allows it to be evaded. URLs are normalised and unescaped prior to validation using MPC::HTML::UrlUnescapeW(), 000ee00e-0010 uses MPC::HexToNum() to translate URL escape sequences into their original characters, the relevant code from helpctr.exe 5.1.2600.5512 (latest at time of writing) is below. .text:0106684C Unescape: .text:0106684Ccmp di, '%' ; di contains the current wchar in the input URL. .text:01066850jnz short LiteralChar; if this is not a '%', it must be a literal character. .text:01066852pushesi ; esi contains a pointer to the current position in URL to unescape. .text:01066853callds:wcslen; find the remaining length. .text:01066859cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits. .text:0106685Dpop ecx ; this sequence calculates the number of wchars needed (4 or 2). .text:0106685Esetzcl ; i.e. %u (four needed), or %XX (two needed). .text:01066861mov dl, cl .text:01066863neg dl .text:01066865sbb edx, edx .text:01066867and edx, 3 .text:0106686Ainc edx .text:0106686Binc edx .text:0106686Ccmp eax, edx ; test if I have enough characters in input to decode. .text:0106686Ejl short LiteralChar; if not enough, this '%' is considered literal. .text:01066870testcl, cl .text:01066872movzx eax, word ptr [esi+2] .text:01066876pusheax .text:01066877jz short NotUnicode .text:01066879callHexToNum ; call MPC::HexToNum() to convert this nibble (4 bits) to an integer. .text:0106687Emov edi, eax ; edi contains the running total of the value of this escape sequence. .text:01066880movzx eax, word ptr [esi+4] .text:01066884pusheax .text:01066885shl edi, 4 ; shift edi left 4 positions to make room for the next digit, i.e. total = 4; .text:01066888callHexToNum .text:0106688Dor edi, eax ; or the next value into the 4-bit gap, i.e. total |= val. .text:0106688Fmovzx eax, word ptr [esi+6]; this process continues for the remaining wchars. .text:01066893pusheax .text:01066894shl edi, 4 .text:01066897callHexToNum .text:0106689Cor edi, eax .text:0106689Emovzx eax, word ptr [esi+8] .text:010668A2pusheax .text:010668A3shl edi, 4 .text:010668A6callHexToNum .text:010668ABor edi, eax .text:010668ADadd esi, 0Ah ; account for number of bytes (not chars) consumed by the escape. .text:010668B0jmp short FinishedEscape .text:010668B2 .text:010668B2 NotUnicode: .text:010668B2callHexToNum ; this is the same code, but for non-unicode sequences (e.g. %41, instead of %u0041) .text:010668B7mov edi, eax .text:010668B9movzx eax, word ptr [esi] .text:010668BCpusheax .text:010668BDcallHexToNum .text:010668C2shl eax, 4 .text:010668C5or edi, eax .text:010668C7add esi, 4 ; account for number of bytes (not chars) consumed by the escape. .text:010668CA .text:010668CA FinishedEscape:
[Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Help and Support Centre is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme hcp, a typical example is provided in the Windows XP Command Line Reference, available at http://technet.microsoft.com/en-us/library/bb490918.aspx. Using hcp:// URLs is intended to be safe, as when invoked via the registered protocol handler the command line parameter /fromhcp is passed to the help centre application. This flag switches the help centre into a restricted mode, which will only permit a whitelisted set of help documents and parameters. This design, introduced in SP2, is reasonably sound. A whitelist of trusted documents is a safe way of allowing interaction with the documentation from less-trusted sources. Unfortunately, an implementation error in the whitelist allows it to be evaded. URLs are normalised and unescaped prior to validation using MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL escape sequences into their original characters, the relevant code from helpctr.exe 5.1.2600.5512 (latest at time of writing) is below. .text:0106684C Unescape: .text:0106684Ccmp di, '%' ; di contains the current wchar in the input URL. .text:01066850jnz short LiteralChar; if this is not a '%', it must be a literal character. .text:01066852pushesi ; esi contains a pointer to the current position in URL to unescape. .text:01066853callds:wcslen; find the remaining length. .text:01066859cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits. .text:0106685Dpop ecx ; this sequence calculates the number of wchars needed (4 or 2). .text:0106685Esetzcl ; i.e. %u (four needed), or %XX (two needed). .text:01066861mov dl, cl .text:01066863neg dl .text:01066865sbb edx, edx .text:01066867and edx, 3 .text:0106686Ainc edx .text:0106686Binc edx .text:0106686Ccmp eax, edx ; test if I have enough characters in input to decode. .text:0106686Ejl short LiteralChar; if not enough, this '%' is considered literal. .text:01066870testcl, cl .text:01066872movzx eax, word ptr [esi+2] .text:01066876pusheax .text:01066877jz short NotUnicode .text:01066879callHexToNum ; call MPC::HexToNum() to convert this nibble (4 bits) to an integer. .text:0106687Emov edi, eax ; edi contains the running total of the value of this escape sequence. .text:01066880movzx eax, word ptr [esi+4] .text:01066884pusheax .text:01066885shl edi, 4 ; shift edi left 4 positions to make room for the next digit, i.e. total = 4; .text:01066888callHexToNum .text:0106688Dor edi, eax ; or the next value into the 4-bit gap, i.e. total |= val. .text:0106688Fmovzx eax, word ptr [esi+6]; this process continues for the remaining wchars. .text:01066893pusheax .text:01066894shl edi, 4 .text:01066897callHexToNum .text:0106689Cor edi, eax .text:0106689Emovzx eax, word ptr [esi+8] .text:010668A2pusheax .text:010668A3shl edi, 4 .text:010668A6callHexToNum .text:010668ABor edi, eax .text:010668ADadd esi, 0Ah ; account for number of bytes (not chars) consumed by the escape. .text:010668B0jmp short FinishedEscape .text:010668B2 .text:010668B2 NotUnicode: .text:010668B2callHexToNum ; this is the same code, but for non-unicode sequences (e.g. %41, instead of %u0041) .text:010668B7mov edi, eax .text:010668B9movzx eax, word ptr [esi] .text:010668BCpusheax .text:010668BDcallHexToNum .text:010668C2shl eax, 4 .text:010668C5or edi, eax .text:010668C7add esi, 4 ; account for number of bytes (not chars) consumed by the escape. .text:010668CA .text:010668CA FinishedEscape: .text:010668CAtestdi, di .text:010668CDjz short loc_10668DA .text:010668CF .text:010668CF LiteralChar: .text:010668CFpushedi ; append the final value to the normalised string using a std::string append. .text:010668D0mov ecx, [ebp+unescaped] .text:010668D3push1 .text:010668D5callstd::string::append