[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <000301c774bf$3cf4a4f0$b6ddeed0$@net>
Date: Sun, 1 Apr 2007 17:38:29 -0700
From: "George Ou" <george_ou@...architect.net>
To: <ad@...poverflow.com>
Cc: full-disclosure@...ts.grok.org.uk, 'Larry Seltzer' <Larry@...ryseltzer.com>
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow
"ad@...poverflow.com said:
http://www.milw0rm.com/exploits/3634
str0ke told me to test this one and no miracle, it works under vista and the
default DEP settings doesn't catch it."
Default DEP settings in Windows XP or Vista are worthless since it's off for
all applications including IE7. I tested with DEP always-on and it crashed
IE7 and the exploit failed.
Note that when you manually launch an HTML from your hard drive, Protected
Mode is turned off because your HDD is considered a trusted source where as
the public Internet is not. If I had try to browse a webpage with this
exploit, protected mode would have been turned on. I also had to manually
bypass the Active X warning to get the exploit to run and even then it
crashed with my fully-on DEP settings with hardware-enforcement.
I don't really feel like turning off my DEP settings on my Vista machine
though I have a feeling that UAC would prevent it from rooting my system
though it could probably damage my files if it were coded to do that. But I
had to go out of my way to get this exploit to run by manually downloading
the zip and manually enabling the ActiveX control just to get it to crash my
browser.
So I think it's fair to say that hardware-enforced fully-enabled DEP will
defeat the ANI exploit (in the current generic state) all by itself.
Protected Mode would have also mitigated the ANI exploit to a low-risk state
that is non-persistent as soon as IE is closed.
So with protected mode turned off, DEP not fully enabled (or missing NX
hardware), the ANI exploit would be able to compromise the local user
profile and data but it would still need to get around UAC if it wants to
put a backdoor in Vista.
George
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists