Safari for widnows and Google Chrome Window.open and alert DoS

Monday, September 29, 2008
#####################################
Safari for windows and Google Chrome
Window.open & alert DoS
#####################################

Reported Here => http://code.google.com/p/chromium/issues/detail?id=2966

Product Version : 0.2.149.30 (2200)
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 3: FAIL
Firefox 3: OK
IE 7: OK

What steps will reproduce the problem?
1. Open a Malicious page with evil script code

What is the expected result?
Chrome open one window and show one alert.


What happens instead?
Chrome open all time a new window wen the users click in OK
from alert...

Please provide any additional information below. Attach a screenshot if
possible.

##########################
Evil Page with Javascript
##########################
<html>
<head></head>
<title> Chrome Window.open & alert DoS</title>
<body>
<script>
DMK = window.open(location.reload('http://lostmon.blogspot.com'));
DMK.alert(DMK)
</script>
</body>
</html>


##################€nd##############
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Filealyzer 1.6.0.4 Stak overflow

Sunday, September 28, 2008
#################################
Filealyzer 1.6.0.4 Stak overflow
Vendor url:http://www.safer-networking.org/
Advisore:http://lostmon.blogspot.com/
2008/09/filealyzer-1604-stak-overflow.html
Vendor notify:yes exploit:PRIVATE
###############################


#############################
Overview By vendor
#############################

http://www.safer-networking.org/en/filealyzer/index.html

FileAlyzer is a tool to analyze files - the name itself
was initially just a typo of FileAnalyzer, but after a
few days I decided to keep it. FileAlyzer allows a basic
analysis of files (showing file properties and file contents
in hex dump form) and is able to interpret common file
contents like resources structures (like text, graphics,
HTML, media and PE).

Using FileAlyzer is as simple as viewing the regular properties
of a file - just right-click the file you want to analyze and
choose Open in FileAlyzer.

###################
Description of bug
###################

http://forums.spybot.info/showthread.php?t=34737

Filealyzer is prone vulnerable to a stack overflow
wen parsing a malformed exe file with a malformed
version information.

The asm code reveals that the application fails
in a instruction wen try to move EAX register value
to EAX register again.




#######################
Signature for identify
#######################

This information Is of ID´s Systems
or antivirus or antispyware software
to easy detect.

filesize=327168
timestamp[file]=2008-08-26 14:24:23
md5=B84ADA93FAEB728F024687A6127B5AAB
crc32=4629A2C8
exists[authx509]=0

######################
Solution
###################

No sulution at this time !!!

##############
Time Line
##############

Discovered:02-07-2008
Vendor notify:28-09-2008
Disclosure:28-09-2008

##################€nd##############
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Google Chrome Fatal Crash

Saturday, September 20, 2008
##########################
Google Chrome Fatal Crash
##########################

Product Version : 0.2.149.30 (2200)and 0.2.149.29
URLs (if applicable) :it´s indiferent.
Other browsers tested:

Safari 3: ok
Firefox 3: ok
IE 7: ok
With other browsers i can only saturate the browser.

What steps will reproduce the problem?
1. open a malformed web
2. close the tab window
3. close again the same tab window

What is the expected result?

the expected result is that Chrome close the tab and we can´t close again
the tab

What happens instead?

Chrome do a Fatal Crash :)

sing of error:

AppName: chrome.exe AppVer: 0.0.0.0 ModName: chrome.dll
13:22 ? Lostmon ¦ ModVer: 0.2.149.30 Offset: 00007b1c



After a several test i can reproduce it all time
the function source file and function involved in crash:

tab_strip_model.cc

http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/tabs/tab_str
ip_model.cc?view=markup&pathrev=83

and the function part in the file affected is in line 561:

TabContents* TabStripModel::GetContentsAt(int index) const {
CHECK(ContainsIndex(index)) <<
"Failed to find: " << index << " in: " << count() << " entries.";
return contents_data_.at(index)->contents;
}

reported here:
http://code.google.com/p/chromium/issues/detail?id=2579

--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Thnx for your time !!!

Maxthon Browser URI about: Dialog XSS

Friday, September 05, 2008
##########################################
Maxthon Browser URI about: Dialog XSS.
Vendor URL: http://www.maxthon.com/
Advisore:http://lostmon.blogspot.com/2008/09/
avant-browser-uri-about-dialog-xss_05.html
Vendor notify:yes exploit available:yes
##########################################

##########################
Vulnerability description
##########################

Maxthon Browser contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'about:' This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser
and the server,leading loss ofintegrity.

#################
Versions
################·

Maxthon Browser 1.6.4 built 20 Vulnerable

Maxthon Browser 2.0.2.2961 Not vulnerable

Aparently in changelog of this version (2.0.2.2961)
The vendor has change some parts of about dialog ,them,
this vulnerability its pached after this version; but
before, prior versions can be vulnerables too.


ChangeLog from Maxthon:
http://www.maxthon.com/changelog.htm



###################
Solution
###################

Update to version 2.0.2.2961 or latest built.



###################
Timeline
##################

Dicovered:16-08-2008
vendor notify:05-09-2008
Vendor response:---
Public Disclosure:----

###################
Proof of Concept.
###################

#############
Test
#############

Put in your Maxthon Broser

about:"><script>alert(1)</script>

or create a link like

<a href='about:<a href='about:"><script>alert(1)</script>'>Maxthon Browser XSS</a>

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Avant Browser URI about: Dialog XSS

##########################################
Avant Browser URI about: Dialog XSS.
Vendor URL: http://www.avantbrowser.com/
Advisory:http://lostmon.blogspot.com/2008/09/
avant-browser-uri-about-dialog-xss.html
Vendor notify:Yes exploit available:yes
##########################################

##########################
Vulnerability description
##########################

Avant Browser contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'about:' This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser
and the server,leading loss of integrity.

#################
Versions
################·

Avant Browser 11.6 built 20 vulnerable.

Avant Browser 11.6 built 7 vulnerable


###################
Solution
###################

No Solution at this time !!!



###################
Timeline
##################

Discovered:16-08-2008
vendor notify:05-09-2008
Vendor response:---
Public Disclosure:----

###################
Proof of Concept.
###################

#############
Test
#############

Put in your Avant Broser

about:"><script>alert(1)</script>

or create a link like

<a href='about:"><script>alert(1)</script>'>Avant Browser XSS</a>

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...