[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9E97F0997FB84D42B221B9FB203EFA2701FA040B@dc1ms2.msad.brookshires.net>
Date: Thu Dec 29 21:51:51 2005
From: toddtowles at brookshires.com (Todd Towles)
Subject: test this
Yet in my defense, CERT calls it a "buffer overflow" ;)
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf
> Of Peter Ferrie
> Sent: Thursday, December 29, 2005 11:51 AM
> To: full-disclosure@...ts.grok.org.uk
> Subject: RE: Re[2]: [Full-disclosure] test this
>
> >TrendMicro has released pattern file = 3.135.00 It appears
> to pick up
> >all the trojans using the WMF exploit as of right now.
> Variants could
> >affect this however.
>
> If they're blindly detecting anything that contains the
> SetAbortProc, then they're detecting the legitimate use of a
> documented function.
>
> >Is this buffer overflow pretty specific like the older GIF
> exploit? If
> >I remember correctly, there were really only two ways to
> make the GIF
> >exploit work, so the detection was pretty solid. Is this exploit
> >similar? Or does it have some trick point that could be used to fool
> >known sigs?
>
> Perhaps you should read about it on Microsoft's site.
> It's not a buffer overflow. WMF files since at least Windows
> 3.0 days have been allowed to carry executable code in the
> form of their own SetAbortProc handler. This is perfectly
> legitimate, though the design is a poor one. The only thing
> that has changed is the code that is being executed.
>
> 8^) p.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists