That was me. Nearly two years ago to the week :) http://www.securityfocus.com/archive/82/290856 /snip -----Original Message----- From: cassidy macfarlane Sent: Friday, September 06, 2002 7:57 AM To: vuln-dev securityfocus com Subject: old netscape vuln - affecting XP/explorer? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi I posted this to bugtraq, but was advised to post here.. I d/loaded the old 'crash-netscape.jpg' from secfocus (id 1503, http://online.securityfocus.com/data/vulnerabilities/exploits/crash-nets cape.jpg ) Sorry if it wraps intending to have a play with Mozilla ;). I stuck it into my cygwin dir on my local HD. When I browse to this folder using explorer (***Tiles view***), I get an explorer restart. (all open explorer windows close, but apps persist) /snip Faulting application explorer.exe, version 6.0.2600.0, faulting module ntdll.dll, version 5.1.2600.0, fault address 0x00003812. 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 46 61 69 6c ion Fail 0010: 75 72 65 20 20 65 78 70 ure exp 0018: 6c 6f 72 65 72 2e 65 78 lorer.ex 0020: 65 20 36 2e 30 2e 32 36 e 6.0.26 0028: 30 30 2e 30 20 69 6e 20 00.0 in 0030: 6e 74 64 6c 6c 2e 64 6c ntdll.dl 0038: 6c 20 35 2e 31 2e 32 36 l 5.1.26 0040: 30 30 2e 30 20 61 74 20 00.0 at 0048: 6f 66 66 73 65 74 20 30 offset 0 0050: 30 30 30 33 38 31 32 0d 0003812. 0058: 0a . /end snip I'm running XP Pro, all hotfixes (apart from todays....MS02-049 and MS02-050...yawn) Does anyone else get the same? Is this exploitable? - I get the same address (0x0003812) every time...is this adjustable with the header/etc in the dodgy .jpg? TIA, and apologies if this is known or a misconfiguration. Cassidy Macfarlane Group IT www.tenongroup.com PGP fingerprint: 31A2 1A52 6CB9 E91C 27D8 9C5C FC40 4FD7 5E96 E1A4 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPXiXUvxAT9deluGkEQIuewCgzZPslfiGX/EbwH3SEPXw2k5MHxsAoIMv WyrI7Lv3qUtHxGtfbboxOkJB =sXVg -----END PGP SIGNATURE----- /end snip -----Original Message----- From: GulfTech Security [mailto:security@xxxxxxxxxxxx] Sent: 16 September 2004 18:53 To: bugtraq@xxxxxxxxxxxxxxxxx Subject: JPEG Processing BOF Proof Of Concept About a year ago I came across this same issue. I came across it while messing with Solar Designer's old Netscape JPEG bug. So, in short the same issue applies to WinXP it seems. I showed the bug to a few people (even contacted Microsoft, but got no reply), but neither them nor myself ever got around to figuring it out. Nick DeBaggis and eEye did a good job of figuring this very dangerous issue out :) Anyway, the point to this post is to release the POC I just put together using the findings that I have been sitting on for quite some time. As I said before, I never fully understood exactly what was going on, so this POC doesn't execute code or anything, but it will crash any WindowsXP machine that has not been patched from this flaw. If you cannot access the attached file, you may download the POC here http://www.gulftech.org/?node=downloads BTW: There was a BugTraq (or some other sec mailing list) post from over a year ago that talks about the Netscape JPEG issue crashing the WindowsXP Shell. I remember seeing them when I first started looking into this issue, but do not have links right off hand. Maybe someone else reading this does?
