Exploit Based On Leaked Windows Code Released 952
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
Re:You thought Microsoft were tardy with (Score:4, Informative)
Re:huh (Score:5, Informative)
Text of advisory (Score:4, Informative)
bigger than Linux, but there were a lot of people mirroring it and so
it didn't take long.
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS
For example, in win2k/private/inet/mshtml/src/site/download/imgbm
offset. Now all we have to do is create a BMP with bfOffBits > 2^31,
and we're in. cbSkip goes negative and the Read call clobbers the
stack with our data.
See attached for proof of concept. index.html has [img src=1.bmp]
where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
Bring it up in IE5 (tested successfully on Win98) and get
EIP=0x44332211.
IE6 is not vulnerable, so I guess I'll get back to work. My Warhol
worm will have to wait a bit...
PROPS TO the Fort and HAVE IT BE YOU.
Re:Smells (Score:5, Informative)
It's no hoax.
Re:Smells (Score:5, Informative)
Re:well, the source is out there (Score:-1, Informative)
while (_bmfh.bfOffBits > (unsigned)cbRead)
{
BYTE abDummy[1024];
int cbSkip;
cbSkip = _bmfh.bfOffBits - cbRead;
if (cbSkip > 1024)
cbSkip = 1024;
if (!Read(abDummy, cbSkip))
goto Cleanup;
cbRead += cbSkip;
}
Easy enough:
- int cbSkip;
+ unsigned int cbSkip;
Re:What the fuck? (Score:5, Informative)
(in fact, looking at the code snipped in the vulnerability notification [securitytracker.com], they do check against Offset > size of buffer)
Wrong (Score:5, Informative)
b)You wouldn't think that an overly long PASS string sent to an ftp server would be able to execute commands - but it can. If you can overflow a buffer and force it to work it's way back up the stack then you could convince mouse gestures to execute commands.
Re:huh (Score:3, Informative)
Re:What the fuck? (Score:5, Informative)
That is how Freenet works (Score:2, Informative)
Re:Time to MS proof what it says (Score:2, Informative)
- Somebody,
- please, monitor this bug (or teach me how to monitor it)
Use this link [securitytracker.com]Then use this one [kernel.org].
i dare someone... (Score:2, Informative)
if i had the time to fetch copy of the code, i'll do it myself...
edonkey link for source code (Score:2, Informative)
31,000 files of exploitable goodness!
ed2k://|file|windows_2000_source_code.zip|21374
Re:Text of advisory (Score:5, Informative)
Re:And awaaayyy we go! (Score:2, Informative)
Not to mention the risk admins take when applying patches, which can disable apps or change bug behaviors that critical apps wrongfully rely on. Not to mention either that historically service packs have not been 100% reliable to boot.
The sad thing is, you can be a perfectly good, clued person stuck with admining critical functions on M$ boxes (that you inherited based on decisions you had no influence over), and let patches sit for weeks or months waiting for others to try them out. Security patches included, since M$ is so spaghetti that one security fix can break or alter behavior in other areas nearly nondeterministically. Luckily, I've never had to worry personally about a windows box for my job security: in the cases I may have had to do so I've been able to build lower-cost and higher-function/reliability OSS solutions and sleep soundly at night.
There's a reason why they're called 'Suicide Packs' by those poor souls whose jobs rely on M$ stability and security...
So, give up the broke-down Chevy & get a Porsc (Score:0, Informative)
Re:Source code leak == reason for Palladium/TCP? (Score:4, Informative)
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
and the follow-up article
http://slashdot.org/comments.pl?sid=96732&cid=827
http://slashdot.org/comments.pl?sid=96732&cid=827
http://slashdot.org/comments.pl?sid=96732&cid=827
No, the FS/OS world does not insist on upgrades (Score:5, Informative)
No, it doesn't work that way. All the major Linux and BSD distros backport security fixes into older apps that they have released; they do not insist that you upgrade to the next major version. When someone (e.g. Red Hat) drops security coverage for older versions, multiple efforts (Progeny, Fedora Legacy) spring up to fill the gap.
Re:What the fuck? (Score:3, Informative)
Re:I posted that vulnerability on August 13, 2000 (Score:2, Informative)
Here's the comment link [slashdot.org].
Re:Open Source More Secure... maybe not (Score:5, Informative)
Re:I posted that vulnerability on August 13, 2000 (Score:3, Informative)
Re:Open Source More Secure... maybe not (Score:3, Informative)
I appears to come from the Fedora team.
Re:I posted that vulnerability on August 13, 2000 (Score:4, Informative)
Try Here (Score:5, Informative)
http://www.google.com/press/zeitgeist.html
Down in the middle of the page, it shows a graph that depicts MSIE 6.0 to be the dominant browser in nice clear red ink.
Re:occurances of " Don't Care " in MS code (Score:2, Informative)
Re:Open Source More Secure... maybe not (Score:4, Informative)
Re:Text of advisory (Score:5, Informative)
The data fills up all the room that was allocated for it and then carries on. You make sure there's enough that it overwrites a special bit of memory called the EIP which tells the computer where the next intruction in memory is. So you make sure the data that lands in the EIP points to the data (actually instructions) you've kindly provided! Whatever process you've overrun has now been hijacked and your code is running. Make sense?
Lots of people still run IE5.5 (Score:2, Informative)
(1) There folks still running Win95 that are stuck. They've got an old Pentium 166, and have no legitimate way to upgrade to Win98. Have you see upgrade copies available in the last couple of years? Sure they can find a copy on ebay, but lots of these folks would never think of that.
(2) There are folks with Dial-up who didn't want to tie up their phone lines downloading the beast. These folks should definately do it now, but they haven't had a really compelling reason.
(3) They may not know how. "Windows Update, what's that?"
I do lots of work for clueless users, and trust me, their are PLENTY of IE5 boxes out there.
Mark
Use CQual (Score:1, Informative)
nt4 source (Score:2, Informative)
A couple of links are here:
ed2k://|file|windows_nt_4_source_code
I have downloaded the first one. It contained a minor bit of corruption in the zip file. The second one may be more pure, but I don't know as I'm only 90% complete with that.
Though I have to say, the bugcodes.txt file in the windows 2000 archive was a fascinating read.
Also, I hear rumours that there is a longhorn source code leak out there. I noticed it was available on overnet, but with no sources available to me, I couldn't download any of it to check. Can anyone confirm?
ed2k://|file|windows longhorn build 4008 source code (partial)
Re:Open Source More Secure... maybe not (Score:2, Informative)
Re:Text of advisory (Score:5, Informative)
Re:I realize I'm forfeiting my geek status by aski (Score:2, Informative)
It's very informative.
Re:I realize I'm forfeiting my geek status by aski (Score:2, Informative)
Sorry about the busted links (Score:3, Informative)
Click here for the Google Zeitgeist. [google.com]
Click here just for the graph. [google.com]
Behold Citizens! Let the games begin! (Score:1, Informative)
Bittorrent Links Includeded (Score:3, Informative)
http://torrent.spyderlake.com/download.php?info_h
Win 2000 Source:
http://torrent.spyderlake.com/download.php?info_h
Was this leak accidental? (Score:1, Informative)
Re:Open Source More Secure... maybe not (Score:4, Informative)
I would (and do) use the Fedora legacy project [fedoralegacy.org].
Re:Open Source More Secure... maybe not (Score:3, Informative)
1.8 Internet Explorer Is Updated with the Service Pack Microsoft Internet Explorer (IE) version 5.01 is now updated only when you install a Windows 2000 service pack, in accordance with the Microsoft support strategy. Windows 2000 SP3 includes all of the fixes released in IE 5.01 with Service Pack 2, plus additional security and functionality fixes that apply to IE and Microsoft Outlook(R) Express version 5.01. For more information about these fixes, see article Q320853, "List of Bugs Fixed in Windows 2000 Service Pack 3," in the Microsoft Knowledge Base.
Re:Free as in beer helps as well (Score:4, Informative)
Please read the original post I was responding to, which states:
I'm not going to respond to each response with the same message, so here it is:
The IE situation is the worst. You probably have no choice but to upgrade. In this case you can probably download IE 6 for free, but for other exploits you may have to pay for a newer version of Windows. Hear me, it's the worst.
The open source situation is better. You at least have the source, and at the worst case can go patch it yourself or pay somebody to patch it. Some investment in time or money can enable you to stay with an older version to avoid upgrading.
However, open source doesn't solve all the problems. If there's no volunteer to keep an old version patched, then there's some cost on your part if you don't want to upgrade. Upgrading, on the other hand, contains some risks (which may translate to cost as well). For one, the new features may contain new exploits.
Which is why I wrote that insisting on running Red Hat 5.0 may be expensive, even though it's open source. It's entirely possible (which is good, and better than IE or Windows), because you have source, but it may not be viable, despite having the source.
Somebody brought up Debian. Yes, Debian maintains an excellent stable distribution. However, not even Debian volunteers patch every old version. At some point, "testing" becomes "stable" and the old "stable" will be left to rot. If you insist on running the old one, then your personal TCO will increase significantly.
And now the obvious conclusion: not even open source can make not upgrading a viable option forever. At some point (obviously at different points for Windows compared to Red Hat Linux) it's cheaper to upgrade. That's all I'm saying.
Re:Text of advisory (Score:4, Informative)
WARNING: ARTICLE CONTAINS SOURCE CODE (Score:5, Informative)
The Slashdot editors should remove the link immediately. Its really dangerous to have on the front page of this site.
Re:But the question is... (Score:3, Informative)
Umm, probably about as long as the flaws in sendmail and bind?
Open source is not a panacea, those two packages alone have accounted for more Internet carnage than any bug in an MS product. And they were open source, full of bugs, and no-one fixed them.
See, this "many eyes" argument only works if many eyes are looking at the code, whereas in practice everyone assumes that everyone else is, so they don't need to worry about it.
It is also worth noting that the source of the leak was traced to a Linux box at a company called MainSoft, who licensed the code to write their cross-platform toolkit MainWin.