lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 31 Mar 2007 01:11:15 +0200
From: Jan Wrobel <wrobel@...es.ath.cx>
To: Alexander Sotirov <asotirov@...ermina.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: 0-day ANI vulnerability in Microsoft Windows
	(CVE-2007-0038)

On Thu, 29 Mar 2007, Alexander Sotirov wrote:

> Today Microsoft released a security advisory about a vulnerability in the
> Animated Cursor processing code in Windows:
> http://www.microsoft.com/technet/security/advisory/935423.mspx
> 
> It seems like the vulnerability is already exploited in the wild:
> http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/

Bleeding Edge Threats made available Snort rule that detects some (all?)
exploits using this vulnerability:
http://www.bleedingthreats.net/index.php/2007/03/30/ms-ani-exploit-rule-details-emerging/

I don't know if this rule detects all possible exploits or just one
particular type. Here is a Firekeeper version of the rule, which can
be used to detect sites hosting malicious files:

alert (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; body_content:"|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|"; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; fid:2003519; rev:1;)


Rule is triggered for example by the following images:                                                                                       
http://www.i5460.net/admin12/2.jpg                                                                                                              
http://www.i5460.net/admin12/1.jpg 


Cheers,
Jan Wrobel
http://firekeeper.mozdev.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists