Lexa Software: Security-Alerts@yandex-team.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: Security-alerts

Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: More information on ZERT patch for ANI 0day

To: <security-alerts@xxxxxxxxxxxxxx>
Subject: [security-alerts] FW: More information on ZERT patch for ANI 0day
From: "Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>
Date: Mon, 2 Apr 2007 20:41:35 +0400
Content-class: urn:content-classes:message
List-archive: <http://www.lexa.ru/security-alerts/> (Web Archive)
List-id: <security-alerts.yandex-team.ru>
List-subscribe: <mailto:majordomo@yandex-team.ru?body=subscribe%20security-alerts>
List-unsubscribe: <mailto:majordomo@yandex-team.ru?body=unsubscribe%20security-alerts>
Thread-index: Acd1QKOuWhVDamgbRFK68nMNiiBrIgABRuNg
Thread-topic: More information on ZERT patch for ANI 0day

> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf 
> Of Gadi Evron
> Sent: Monday, April 02, 2007 6:20 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] More information on ZERT patch for ANI 0day
> 
> Hi, more information about the patch released April 1st can 
> be found here:
> 
> http://zert.isotf.org/
> 
> Including:
> 1. Technical information.
> 2. Why this patch was released when eeye already released a 
> third party
> patch.
> 
> The newly discovered zero-day vulnerability in the parsing of animated
> cursors is very similar to the one previously discovered by 
> eEye that was
> patched by Microsoft in MS05-002. Basically an "anih" chunk 
> in an animated
> cursor RIFF file is read into a stack buffer of a fixed size (36
> bytes) but the actual memory copy operation uses the length 
> field provided
> inside the "anih" chunk.giving an attacker an easy route to 
> overflow the
> stack and gain control of the execution of the process.
> 
> With the MS05-002 patch, Microsoft added a check for the length of the
> chunk before copying it to the buffer. However, they 
> neglected to audit
> the rest of the code for any other instances of the vulnerable copy
> routine. As it turns out, if there are two "anih" chunks in 
> the file, the
> second chunk will be handled by a separate piece of code 
> which Microsoft
> did not fix. This is what the authors of the zero-day discovered.
> 
> Although eEye has released a third-party patch that will prevent the
> latest exploit from working, it doesn't fix the flawed copy 
> routine. It
> simply requires that any cursors loaded must reside within the Windows
> directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should
> successfully mitigate most "drive-by's," but might be bypassed by an
> attacker with access to this directory.
> 
> For this reason, ZERT is releasing a patch which addresses 
> the core of the
> vulnerability, by ensuring that no more than 36 bytes of an 
> "anih" chunk
> will be copied to the stack buffer, thus eliminating all 
> potential exploit
> paths while maintaining compatibility with well-formatted 
> animated cursor
> files. 
> 
>       Gadi.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Prev by Date: [security-alerts] FW: Metasploit vs ANI
Next by Date: [security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 6 No. 14
Previous by thread: [security-alerts] FW: Metasploit vs ANI
Next by thread: [security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 6 No. 14
Index(es):
- Date
- Thread