lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <43FB1967D03EC7449A77FA91322E3648143FDE@SVL1XCHCLUPIN01.enterprise.veritas.com>
Date: Thu Dec 29 17:55:24 2005
From: pferrie at symantec.com (Peter Ferrie)
Subject: test this

>TrendMicro has released pattern file = 3.135.00
>It appears to pick up all the trojans using the WMF exploit as of right
>now. Variants could affect this however.
 
If they're blindly detecting anything that contains the SetAbortProc, then they're detecting the legitimate use of a documented function.
 
>Is this buffer overflow pretty specific like the older GIF exploit? If I
>remember correctly, there were really only two ways to make the GIF
>exploit work, so the detection was pretty solid. Is this exploit
>similar? Or does it have some trick point that could be used to fool
>known sigs?
 
Perhaps you should read about it on Microsoft's site.
It's not a buffer overflow.  WMF files since at least Windows 3.0 days have been allowed to carry executable code in the form of their own SetAbortProc handler.  This is perfectly legitimate, though the design is a poor one.  The only thing that has changed is the code that is being executed.
 
8^) p.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ