📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
Faithless
's Blog
Created: Friday, March 24 2006 14:48.00 CST
Modified: Friday, March 24 2006 15:02.27 CST
Printer Friendly ...
IE createTextRange() Vulnerability
Author:
Faithless
# Views:
1021
The .JS flavour of the moment:
<input type="checkbox" id='c'>
<script>
r=document.getElementById("c");
a=r.createTextRange();
</script>
Spent some time looking into this bug, which has apparently been going around the traps for a couple of days. It really hit the big time when Stelian Ene reported it to Bugtraq (
http://seclists.org/lists/bugtraq/2006/Mar/0410.html
) and then Andreas Sandblad of Secunia came public that they had independently found the same bug (
http://secunia.com/advisories/18680/
).
It's a sign of the times that bugs are demonstratably being co-discovered by multiples parties. As Dave Aitel said as early as Jan 05:
Multiple independent discoveries are more the rule than the exception
- Dave Aitel
That is, other researchers who've never looked at the vulnerability before can get stable code execution
in under 24 hours
. Why assume it's always the "whitehats" who find these and report them? Rumours are the .WMF bug from late 2005 was sold for $4000 to install spyware and popups by one of the unknown original discoverers.
Hrmm, interesting concept, when we also look at the rapidly dropping time between public vulnerability announcement, and 3rd party exploit code.
- Compare SQL Slammer (Bulletin on July 24 2002 and exploit mass released on Jan 25 2003 - ~185 days)
- To Sasser (Bulletin on March 13 2004 and exploit mass released on April 1 2004 - ~17 days)
But sure, this topic has been covered before ( for details see
http://www.trendmicro.com/NR/rdonlyres/5D55A679-5B64-485C-8B35-13F6A8026CE3/17118/Vulnerability_Record.pdf
) so where does the latest IE exploit leave us? It's not just exploit code development thats improved rapidly with better documentation, examples and tools such the excellent Metasploit ( [url]www.metasploit.com[/url] ), but the actual vulnerabilities themselves are being found by a wider group of people, in more and more applications. For more info on this
http://www.google.com.au/search?hl=en&safe=off&q=code+fuzzers&btnG=Search&meta=
Once your code is running reliably through a exploit, there's also much greater emphasise on IDS evasion and "sliding windows" of attack.
I started looking at software vulnerabilities and code execution when I first saw spyware install itself automatically. Pretty suprising stuff to see. Initially, I thought the Symantec et. al idea of "use antivirus, antispyware, antimalware, antiphishing" products would provide protection. But what the hell, lets get your hands down and dirty, and figure out how remote code execution really works. Read a few BlackHat .pdf presentations by Aleph1, FX, HDMoore, Halvar Flake, Mike Lynn, or anything by any member of the Litchfield family :) . It'll teach you how x86/PPC works on a low-level, and it takes the voodoo mystery out of much of the malware-crud that's out there.
By the way, it's not just
<input type="checkbox">
that causes this memory corruption. :/
It's going to be a big April MS Patch Tuesday.
Maybe another blog article after this is patched might give me a chance to walk through some of the technical details of this vulnerability.
Add New Comment
Comment:
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}