lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0711180819270.2372@localhost.localdomain>
Date: Sun, 18 Nov 2007 08:27:29 +0000 (UTC)
From: jf <jf@...glingpointers.net>
To: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
Cc: "CaseArmour.net Security Administrator" <security@...earmour.net>,
	bugtraq@...urityfocus.com, frankruder@...mail.com,
	full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Microsoft Jet Engine MDB File Parsing Stack
 Overflow Vulnerability

is it? If I recall correctly, the hexview advisory was the result of
something like a word-to-byte truncation followed by a byte
sign-extension (but its been long enough that I may be misremembering
it)

In this advisory it was not entirely clear what
the condition was, from what I remember reading of it the other day, it
didn't get into how/why, it just like used ecx or a register as a counter
but didn't show how it came to that value?

Whats interesting is that the hexview patching the bug itself is trivial
from the assembly (not taking into account the work encountered from bin patching
itself) and I know many organizations attempted to put a lot of pressure
to get it patched and failed to do so

On Sun, 18 Nov 2007, Juha-Matti Laurio wrote:

> Date: Sun, 18 Nov 2007 01:58:02 +0200 (EET)
> From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
> To: CaseArmour.net Security Administrator <security@...earmour.net>,
>     bugtraq@...urityfocus.com, frankruder@...mail.com,
>     full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Microsoft Jet Engine MDB File Parsing Stack
>     Overflow Vulnerability
>
> There is a well-known unpatched code execution type vulnerability reported originally in msjet40.dll version 4.00.8618.0 too.
> This issue reported by HexView is known since March 2005:
>
> http://www.securityfocus.com/bid/12960
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0944
>
> We probably don't see a fix for this issue.
>
> - Juha-Matti
>
> "CaseArmour.net Security Administrator" <security@...earmour.net> kirjoitti:
> > It would be useful to know if this is also an issue with msjet40.dll
> > 4.0.9510.0 (Windows Server 2003 SP2 + hotfixes).  I have an installer
> > for Windows XP SP2 that -- seems -- to cleanly apply Windows Server 2003
> > SP2's MDAC 2.82.  I haven't been able to give it a serious, hard testing
> > because I don't have many apps that still use MDAC.
> >
> > On Fri, 16 Nov 2007 19:25:29 +0800, "cocoruder" <cocoruder@...il.com>
> > said:
> > >
> > >     (C:\Windows\System32\msjet40.dll, version is 4.0.8618.0)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ