Comments on: MSIE Content-Encoding: deflate memory corruption vulnerability http://skypher.com/index.php/2009/10/13/ms09-054cve-2009-1547-data-stream-header-corruption-vulnerability/ The blog for absolutely nothing! Fri, 25 Jun 2010 07:02:27 +0000 hourly 1 http://wordpress.org/?v=3.0 By: SkyLined http://skypher.com/index.php/2009/10/13/ms09-054cve-2009-1547-data-stream-header-corruption-vulnerability/comment-page-1/#comment-510 SkyLined Tue, 20 Oct 2009 14:56:54 +0000 http://skypher.com/?p=249#comment-510 I'm not sure what you mean. If you're trying to say that it is impossible (or at least very hard) to find this kind of bug using fuzzing, then you may be surprised to hear that I found this using a fuzzer :D. My fuzzer actually triggered this bug quite often: it wasn't one lucky hit. Note that the original HTTP replies that my fuzzer generated that triggered this issue where a lot larger and more complex. I reduced the size by removing most of the bytes that aren't required to trigger the bug. That makes it easier to spot the cause of the issue, which is incorrect handling of (malformed) deflate data. The lack of a "proper" HTTP header in these repro examples has nothing to do with the actual bug. I’m not sure what you mean. If you’re trying to say that it is impossible (or at least very hard) to find this kind of bug using fuzzing, then you may be surprised to hear that I found this using a fuzzer :D . My fuzzer actually triggered this bug quite often: it wasn’t one lucky hit.

Note that the original HTTP replies that my fuzzer generated that triggered this issue where a lot larger and more complex. I reduced the size by removing most of the bytes that aren’t required to trigger the bug. That makes it easier to spot the cause of the issue, which is incorrect handling of (malformed) deflate data. The lack of a “proper” HTTP header in these repro examples has nothing to do with the actual bug.

]]> By: Noam Rathaus http://skypher.com/index.php/2009/10/13/ms09-054cve-2009-1547-data-stream-header-corruption-vulnerability/comment-page-1/#comment-509 Noam Rathaus Tue, 20 Oct 2009 09:44:33 +0000 http://skypher.com/?p=249#comment-509 The issue with discovering it is that it is client side and is not properly parsed by the browsering, meaning that if you would brute-force fuzz it. You will need to manual tell IE to try again as it would get stuck on something similar to the above request but missing critical parts of it (HTTP version value, HTTP method, etc..). The issue with discovering it is that it is client side and is not properly parsed by the browsering, meaning that if you would brute-force fuzz it.

You will need to manual tell IE to try again as it would get stuck on something similar to the above request but missing critical parts of it (HTTP version value, HTTP method, etc..).

]]>