lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 4 Oct 2006 09:43:54 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com, vuln-dev@...urityfocus.com,
	funsec@...uxbox.org
Subject: Technical Paper on the ZERT Patch and VML [was: Re: ZERT patch for
 setSlice()]

> So how is this a patch when you are simply automating a simple work
> around?
> 
> If this can be called a patch then we should be able to say that
> Microsoft released a patch in their bulletin on this issue where they
> describe exactly how to set the killbit.
> 
> A *real* patch would actually address the vulnerable code.

Our (ZERT's) VML patch was what you refer to as "real". There was space
issue with not enough bytes to play with, so Gil Dabah, one of our
members, re-wrote the vulnerable function in Yasm, compiled it, and
hard-coded the compiled code into the binary, with room to spare, saving
functionality. Code crunching is back in style. :)

You can read about the vulnerability, the patch and the Microsoft patch
here (technical + ASM and C code):

http://zert.isotf.org/papers/vml-details-20060928.pdf

As to the setSlice() patch... an alternative does not necessarily mean
intrusive. A patch for the setSlice() vulnerability was already provided
by Determina which was very nice and very professional. It used some
ideas we developed ourselves - we liked it - it was a very efficient
patch.
It came out as commercial, though. We release our work under GPL
and Creative Commons with full source code available.

In this incident (ZERT2006-02) We provided with an automation of the
workaround, to make it simple for users and organizations which are
interested, and for whom a third party patch is too risky for various
reasons ranging from support to liability, to protect themselves.

As an example, Network admins can easily use the console version of
ZProtector to run in the login script of a domain. ZProtector is not a
patch per se, it is an automated kill bit software which gets updated as
new unpatched vulnerabilities and 0days are disclosed/discovered/reported.

For more information, you can visit the Zeroday Emergency Response Team
web site at: http://isotf.org/zert/

IMPORTANT: third party patches should always be considered a last resort,
and used only if the other solutions, if such exist, are not good for
you. I like the idea of having an alternative.

ZERT withdrew its VML patch as soon as Micorosft released the official
patch. They did really good work on it. Kudos to the guys at MSRC.

Thanks,

	Gadi.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ