| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <be950f350704021247yfebc7d1id1cd292977e037c3@mail.gmail.com>
Date: Mon, 2 Apr 2007 15:47:25 -0400
From: wac <waldoalvarez00@...il.com>
To: "Gadi Evron" <ge@...uxbox.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: More information on ZERT patch for ANI 0day
Well I did my patch and I'm giving it away to be modifiable by everyone out
there.
I did it for version 5.1.2600.2622 of user32.dll, English version not sure
if that is the last version from M$ (with the way they handle patches you
know
you could miss one) anyway in any case I believe there is enough information
in the sources if it needs a fix or... not if Microsoft really comes with a
patch
tomorrow. So far you don't have to be at the mercy of the chinese worm or
evil random
cracker. Let me know if is a POS if has bugs etc... Maybe is not needed by
tomorrow
but was already doing it. So if it helps.. Then great!!
download binaries here
http://aircash.sourceforge.net/micro-distro-src.zip
and sources here
http://aircash.sourceforge.net/micro-distro-bin.zip
just my 2 cents
Regards
Waldo
On 4/1/07, Gadi Evron <ge@...uxbox.org> wrote:
>
> Hi, more information about the patch released April 1st can be found here:
>
> http://zert.isotf.org/
>
> Including:
> 1. Technical information.
> 2. Why this patch was released when eeye already released a third party
> patch.
>
> The newly discovered zero-day vulnerability in the parsing of animated
> cursors is very similar to the one previously discovered by eEye that was
> patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated
> cursor RIFF file is read into a stack buffer of a fixed size (36
> bytes) but the actual memory copy operation uses the length field provided
> inside the "anih" chunk.giving an attacker an easy route to overflow the
> stack and gain control of the execution of the process.
>
> With the MS05-002 patch, Microsoft added a check for the length of the
> chunk before copying it to the buffer. However, they neglected to audit
> the rest of the code for any other instances of the vulnerable copy
> routine. As it turns out, if there are two "anih" chunks in the file, the
> second chunk will be handled by a separate piece of code which Microsoft
> did not fix. This is what the authors of the zero-day discovered.
>
> Although eEye has released a third-party patch that will prevent the
> latest exploit from working, it doesn't fix the flawed copy routine. It
> simply requires that any cursors loaded must reside within the Windows
> directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should
> successfully mitigate most "drive-by's," but might be bypassed by an
> attacker with access to this directory.
>
> For this reason, ZERT is releasing a patch which addresses the core of the
> vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk
> will be copied to the stack buffer, thus eliminating all potential exploit
> paths while maintaining compatibility with well-formatted animated cursor
> files.
>
> Gadi.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists