lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9E97F0997FB84D42B221B9FB203EFA2701FA040B@dc1ms2.msad.brookshires.net>
Date: Thu Dec 29 21:51:51 2005
From: toddtowles at brookshires.com (Todd Towles)
Subject: test this

Yet in my defense, CERT calls it a "buffer overflow" ;) 

> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk 
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf 
> Of Peter Ferrie
> Sent: Thursday, December 29, 2005 11:51 AM
> To: full-disclosure@...ts.grok.org.uk
> Subject: RE: Re[2]: [Full-disclosure] test this
> 
> >TrendMicro has released pattern file = 3.135.00 It appears 
> to pick up 
> >all the trojans using the WMF exploit as of right now. 
> Variants could 
> >affect this however.
>  
> If they're blindly detecting anything that contains the 
> SetAbortProc, then they're detecting the legitimate use of a 
> documented function.
>  
> >Is this buffer overflow pretty specific like the older GIF 
> exploit? If 
> >I remember correctly, there were really only two ways to 
> make the GIF 
> >exploit work, so the detection was pretty solid. Is this exploit 
> >similar? Or does it have some trick point that could be used to fool 
> >known sigs?
>  
> Perhaps you should read about it on Microsoft's site.
> It's not a buffer overflow.  WMF files since at least Windows 
> 3.0 days have been allowed to carry executable code in the 
> form of their own SetAbortProc handler.  This is perfectly 
> legitimate, though the design is a poor one.  The only thing 
> that has changed is the code that is being executed.
>  
> 8^) p.
>  
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ