To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- great job!
> ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 1 Apr 2007 21:33:39 -0500 (CDT) > From: Gadi Evron <[EMAIL PROTECTED]> > Subject: [botnets] More information on ZERT patch for ANI 0day > To: botnets@whitestar.linuxbox.org > Cc: funsec@linuxbox.org > Message-ID: <[EMAIL PROTECTED]> > Content-Type: TEXT/PLAIN; charset=US-ASCII > > Hi, more information about the patch released April 1st can be found here: > > http://zert.isotf.org/ > > Including: > 1. Technical information. > 2. Why this patch was released when eeye already released a third party > patch. > > The newly discovered zero-day vulnerability in the parsing of animated > cursors is very similar to the one previously discovered by eEye that was > patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated > cursor RIFF file is read into a stack buffer of a fixed size (36 > bytes) but the actual memory copy operation uses the length field provided > inside the "anih" chunk.giving an attacker an easy route to overflow the > stack and gain control of the execution of the process. > > With the MS05-002 patch, Microsoft added a check for the length of the > chunk before copying it to the buffer. However, they neglected to audit > the rest of the code for any other instances of the vulnerable copy > routine. As it turns out, if there are two "anih" chunks in the file, the > second chunk will be handled by a separate piece of code which Microsoft > did not fix. This is what the authors of the zero-day discovered. > > Although eEye has released a third-party patch that will prevent the > latest exploit from working, it doesn't fix the flawed copy routine. It > simply requires that any cursors loaded must reside within the Windows > directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should > successfully mitigate most "drive-by's," but might be bypassed by an > attacker with access to this directory. > > For this reason, ZERT is releasing a patch which addresses the core of the > vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk > will be copied to the stack buffer, thus eliminating all potential exploit > paths while maintaining compatibility with well-formatted animated cursor > files. > > Gadi. > > > > ------------------------------ > > _______________________________________________ > botnets mailing list > botnets@whitestar.linuxbox.org > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > > End of botnets Digest, Vol 14, Issue 1 > ************************************** > > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets