lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 3 Apr 2007 10:32:31 -0700
From: "Matthew Murphy" <mattmurphy@...rr.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] More information on ZERT patch for ANI 0day

On 4/3/07, Stefan Kelm <stefan.kelm@...orvo.de> wrote:
> Has anyone actually checked what this patch does? Who are ZERT and
> ISOTF respectively ("About ISOTF" at http://www.isotf.org/?page_value=0
> says a lot...)?
>
> ...or is this an April Fool's joke?

The patch is 100% real and it is effective.  I've seen it in action on
testbeds.  I can't claim to be an unbiased observer, as I helped some
with the actual engineering process.

There's a list of team members available:
http://www.isotf.org/zert/members.htm

ZERT includes a handful of the industry's most talented reverse
engineering experts.  You will know many of them if you follow
security news regularly, and some of them whose names may not be
familiar to you (like Michael Ligh and Gil Dabah) are nonetheless,
master craftsmen of the trade we call security engineering.  If I were
running a security department, I'd hire them.

You don't have to listen to me, though.  For the cynics out there who
are as comfortable vetting code yourself as listening to me (nothing
wrong with that, either), there's source code in the downloadable ZIP.
 The code is missing for two components:

1. The patch ships the Microsoft Layer for Unicode (MSLU) in
Unicows.dll which enables us to support platforms (Windows 95/98/Me)
which are no longer officially supported by Microsoft.  You can
replace that DLL with your own copy of the MSLU library if you're
concerned about its origins -- it hasn't been modified at all.

2. The patch sources static link to Gil Dabah's distorm disassembler
library (distorm.lib) as well.  That library is used to identify the
vulnerable code within the affected DLL.  You can build your own of
that, from source, if you wish:

http://www.ragestorm.net/distorm/

Don't worry... the patch doesn't bite.  In either sense of the word.

Regards,
Matt Murphy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ