lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <8beca820609260704n332db92ja4b99885c46ea2fa@mail.gmail.com>
Date: Tue, 26 Sep 2006 17:04:37 +0300
From: avivra <avivra@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: VML Exploit vs. AV/IPS/IDS signatures

The code for exploiting the unpatched VML vulnerability is in-the-wild
for a week or so. This was enough time for Anti Virus, IPS/IDS and
other reactive security products' vendors to create a signature for
the in-the-wild exploit.
So, I put my hand on one of the in-the-wild and tested it using Virus
Total. The results were not so good. Only 10 of 27 Anti-Viruses
detected the exploit on the malicious web page.
Are those signatures generic enough? I've decided to check it out.

I've used 5 simple methods, trying to evade being detected by the signature:
1) I've replaced the location where EIP should jump when the exploit
is activated, with a different valid address.
2) I've replaced the VML element from "rect" with one of the other VML elements.
3) I've replaced the payload with a different valid shell code.
4) I've replaced the namespace key with a random key.
5) A combination of all of the above.

Please note that when I changed the code using any of the methods, the
exploit still worked.

More info: http://aviv.raffon.net/2006/09/25/VMLExploitVsAVIPSIDSSignatures.aspx

-- Aviv.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ