lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 1 Apr 2007 17:38:29 -0700
From: "George Ou" <george_ou@...architect.net>
To: <ad@...poverflow.com>
Cc: full-disclosure@...ts.grok.org.uk, 'Larry Seltzer' <Larry@...ryseltzer.com>
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow

"ad@...poverflow.com said:
http://www.milw0rm.com/exploits/3634

str0ke told me to test this one and no miracle, it works under vista and the
default DEP settings doesn't catch it."


Default DEP settings in Windows XP or Vista are worthless since it's off for
all applications including IE7.  I tested with DEP always-on and it crashed
IE7 and the exploit failed.

Note that when you manually launch an HTML from your hard drive, Protected
Mode is turned off because your HDD is considered a trusted source where as
the public Internet is not.  If I had try to browse a webpage with this
exploit, protected mode would have been turned on.  I also had to manually
bypass the Active X warning to get the exploit to run and even then it
crashed with my fully-on DEP settings with hardware-enforcement.

I don't really feel like turning off my DEP settings on my Vista machine
though I have a feeling that UAC would prevent it from rooting my system
though it could probably damage my files if it were coded to do that.  But I
had to go out of my way to get this exploit to run by manually downloading
the zip and manually enabling the ActiveX control just to get it to crash my
browser.

So I think it's fair to say that hardware-enforced fully-enabled DEP will
defeat the ANI exploit (in the current generic state) all by itself.
Protected Mode would have also mitigated the ANI exploit to a low-risk state
that is non-persistent as soon as IE is closed.

So with protected mode turned off, DEP not fully enabled (or missing NX
hardware), the ANI exploit would be able to compromise the local user
profile and data but it would still need to get around UAC if it wants to
put a backdoor in Vista.



George

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ