Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: More information on ZERT patch for ANI 0day



> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf 
> Of Gadi Evron
> Sent: Monday, April 02, 2007 6:20 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] More information on ZERT patch for ANI 0day
> 
> Hi, more information about the patch released April 1st can 
> be found here:
> 
> http://zert.isotf.org/
> 
> Including:
> 1. Technical information.
> 2. Why this patch was released when eeye already released a 
> third party
> patch.
> 
> The newly discovered zero-day vulnerability in the parsing of animated
> cursors is very similar to the one previously discovered by 
> eEye that was
> patched by Microsoft in MS05-002. Basically an "anih" chunk 
> in an animated
> cursor RIFF file is read into a stack buffer of a fixed size (36
> bytes) but the actual memory copy operation uses the length 
> field provided
> inside the "anih" chunk.giving an attacker an easy route to 
> overflow the
> stack and gain control of the execution of the process.
> 
> With the MS05-002 patch, Microsoft added a check for the length of the
> chunk before copying it to the buffer. However, they 
> neglected to audit
> the rest of the code for any other instances of the vulnerable copy
> routine. As it turns out, if there are two "anih" chunks in 
> the file, the
> second chunk will be handled by a separate piece of code 
> which Microsoft
> did not fix. This is what the authors of the zero-day discovered.
> 
> Although eEye has released a third-party patch that will prevent the
> latest exploit from working, it doesn't fix the flawed copy 
> routine. It
> simply requires that any cursors loaded must reside within the Windows
> directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should
> successfully mitigate most "drive-by's," but might be bypassed by an
> attacker with access to this directory.
> 
> For this reason, ZERT is releasing a patch which addresses 
> the core of the
> vulnerability, by ensuring that no more than 36 bytes of an 
> "anih" chunk
> will be copied to the stack buffer, thus eliminating all 
> potential exploit
> paths while maintaining compatibility with well-formatted 
> animated cursor
> files. 
> 
>       Gadi.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 



 




Copyright © Lexa Software, 1996-2009.