Michal Zalewski has released some details with links to proof of concept code for a MSIE same-origin bypass race condition, MSIE memory corruption on page transitions, CANVAS implementation crashes, and Safari page transition tailgating.
aada75a86af557c06b7ae5af9b0eebe4b1e6812bafa534a00cb5dd004ecdf459Hi all,
I am way behind on this, so I wanted to drop a quick note regarding
some of my vulnerabilities recently addressed by browser vendors - and
provide some possibly interesting PoCs / fuzzers to go with them:
Summary : MSIE same-origin bypass race condition (CVE-2007-3091)
Impact : security bypass, possibly more
Reported : June 2007 (publicly)
PoC URL : http://lcamtuf.coredump.cx/ierace/
Bulletin : http://www.microsoft.com/technet/security/bulletin/MS09-019.mspx
Notes : additional credit to David Bloom for developing an improved
proof-of-concept exploit
Summary : MSIE memory corruption on page transitions
Impact : memory corruption, potential code execution
Reported : April 2008 (privately)
PoC URL : http://lcamtuf.coredump.cx/stest/ (fuzzers)
Bulletin : http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx
Notes : -
Summary : multiple browsers <CANVAS> implementation crashes
(CVE-2008-2321, ???)
Impact : memory corruption, potential code execution
Reported : February 2008 (privately)
PoC URL : http://lcamtuf.coredump.cx/canvas/ (fuzzer)
Bulletin : http://lists.apple.com/archives/security-announce/2009/Jun/msg00002.html
Bulletin : http://www.opera.com/support/kb/view/882/
Notes : also some DoS issues in Firefox
Summary : Safari page transition tailgating (CVE-2009-1684)
Impact : page spoofing, navigation target disclosure
Reported : February 2008 (privately)
PoC URL : http://lcamtuf.coredump.cx/sftrap2/
Bulletin : http://lists.apple.com/archives/security-announce/2009/Jun/msg00002.html
Notes : -
Cheers,
/mz
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed