Re: [Full-disclosure] Microsoft Windows Help program (WinHlp32.exe) memory corruption
I was looking and appear that this bug was fixed a long time ago at ms, No, the bugs remain. However... also windows help (.hlp) do not appear to be automatic opened in windows vista and later. That's the point - hlp is such an unsafe file format that the winhlp32.exe was *removed* from Vista. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Paint 5.1 memory corruption
Antony if u wanna do my home work i suggest you to find the offset where cause the crash change some byte and play with come back when there is not second chance ,instruction is not valid and it references not valid data. Irrespective of the cause of the invalid access, the exception is *handled* by Paint. There is no crash. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Office Excel 2010 memory corruption
How can i make sure a crash is not exploitable? (( The short answer is simple assume every crash is exploitable and just fix it.)) No, it costs a lot of time and money to fix even one issue. We don't want to waste it on something that isn't exploitable. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Office Excel 2010 memory corruption
No, it costs a lot of time and money to fix even one issue. We don't want to waste it on something that isn't exploitable. There are at least four problems with this argument. First, the argument basically says defective software is OK. You've interpreted don't want to waste it as won't fix it, extended it to suggest that it's an acceptable response, and then proceeded to attack that conclusion. Do you call the fire brigade if you see the smoke from a candle? No, but you might get someone in eventually to clean the soot from the ceiling. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Office Publisher 2010 memory corruption
I have discovered many crashes during testing MS product which i can discuss with authority responsible memory corruption during the handling of the pub files a context-dependent attacker can execute arbitrary code. ecx=0004 ... esi= ... MSVCR90!memmove+0x140: 7855b450 8b448ef0mov eax,dword ptr [esi+ecx*4-10h] ds:0023:= This is a null pointer access. You have not demonstrated any control over the value in esi, so it is highly unlikely that it can be used for exploitation. We will investigate it, of course. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Online Base64 Decoder Encoder with ASCII/Hex Output
Here is one of our new online tools, Base64 Decoder Encoder. Apart from attractive, easy to use interface, it shows output in both ASCII HEX format. Which model do you use? Standard? PHP? IE/Outlook? OMG they can all decode the crafted input differently! sigh. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Online Base64 Decoder Encoder with ASCII/Hex Output
Here is one of our new online tools, Base64 Decoder Encoder. Apart from attractive, easy to use interface, it shows output in both ASCII HEX format. Which model do you emulate? The standard one? The PHP one? The IE/Outlook one? OMG they can all decode differently! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WinXP IE .HLP file 0day
Rather funny than scary: http://isec.pl/vulnerabilities10.html There are loads of known vulns in winhlp32.exe, particularly in the decompression routines. That's why it was removed from Vista, and why .hlp files are considered to be dangerous file formats. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] windows future
I'm saying that the world's malware authors, in their race to stay ahead of AV, are engaging in an uncoordinated, slow-motion DDOS of the world's AV systems. They are flooding the blacklists, and this flooding is accelerating. If it continues, the world's AV systems will be useless, as will be the machines they are protecting. You are extrapolating, based on an incorrect assumption - that blacklists will exist forever. When the number of bad files exceeds the number of good files, then whitelists will reign instead. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Virtual Machine Trojans: a new type of threat?
When a user downloads a virtual machine from the Internet, and then runs it on his/her computer, the antivirus installed in the host machine simply does not have access to the virtual machine, so the virtual machine does not get scanned. That is simply not true. AVs can see inside VM images, and scan the files. The user can also install the AV inside the VM, which will also see the files. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] YES!!!
I finally made it to the penultimate level of Important enough to be spoofed So what's the level above that? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Wired Security/EOF] Disable Windows Defender (Vista) PoC code
my friend Izee from the EOF-Project(.net) team has coded a simple PoC code, that demonstrates how to disable the Windows Defender on Vista (tested with and without SPs on x86/x64) using its own API made for it. Does he realise that he must be Admin first? Then he he can just disable the service, or delete the files, or whatever. Using the API doesn't gain much here. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] # a new bug in Olly
I've found a bug in Olly leading to crash SEH/VEH-based programs during tracing. (an example-pack could be found at my web-site http://nezumi.org.ru/olly-bug-776.zip, it includes two SEH/VEH programs and requests XP or latter to run VEH, while SEH works everywhere). This was posted to OpenRCE already by a different person, and as I wrote there, it's not so much a bug in Olly as a side-effect which produces a known Windows behaviour. Causing an exception while the T flag is set will trigger a secondary exception inside the KiUserExceptionDispatcher, resulting in the single_step exception being delivered first (except in VirtualPC, at least). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Jet Engine MDB File Parsing StackOverflow Vulnerability
It would be useful to know if this is also an issue with msjet40.dll 4.0.9510.0 (Windows Server 2003 SP2 + hotfixes). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Jet Engine MDB File Parsing StackOverflow Vulnerability
It would be useful to know if this is also an issue with msjet40.dll 4.0.9510.0 (Windows Server 2003 SP2 + hotfixes). In any case, Microsoft will still say that it won't be fixed. Their policy is apparently to just blacklist some file types and provide no fixes for them. HLP, for example, has several arbitrary code execution vulns because of a bug in both decompression methods. I reported them in April. No planned fix for those either. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rutkowska faces '100% undetectable malware' challenge, teasing?
The problem is that she wants the money upfront, in order to develop the 100% undetectable thing that she doesn't have right now. So that's a problem. From: [EMAIL PROTECTED] on behalf of Trey Keifer Sent: Sat 6/30/2007 1:39 PM To: Bipin Gautam Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure]Rutkowska faces '100% undetectable malware' challenge, teasing? Joanna has stated her technical requirements for the challenge and Thom and group has accepted them, so why not turn this into what it really is... a bet. The losing team agrees to pay the other $350,000 - if both groups are really so confident there shouldn't be any issue. On 6/30/07, Bipin Gautam [EMAIL PROTECTED] wrote: hi guys, ref: http://blogs.zdnet.com/security/?p=334 so are they teasing by making her the impossible challenge at this date? :) honeypot developers have been trying to battle the same issue of making the virtual machine emulate guest OS like the it is run in real hardware since some years now. ref: http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf But if Rutkowska or anyone is able to succeed to make it undetectable in current hardware that would be genius! -bipin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Intel Core 2 CPUs are buggy. Patch your cpus :D
- Basically the MMU simply does not operate as specified/implimented in previous generations of x86 hardware. It is not just buggy, but Intel has gone further and defined new ways to handle page tables (see page 58). I'm not sure about this - I understood it to mean that if you touch a table, you have to invalidate the TLB that corresponds to its linear address. This was always how Intel CPUs behaved, even the old ones. What changed? - Some of these bugs are along the lines of buffer overflow; where a write-protect or non-execute bit for a page table entry is ignored. Same thing here - altering tables without flushing the TLBs will result in cached data being used instead. Intel is documenting it very well now, but it's not new behaviour. Others are floating point instruction non-coherencies, or memory corruptions -- outside of the range of permitted writing for the process -- running common instruction sequences. The FPU memory corruption is old behaviour, too. Certainly, there are some scary things in the list, but many of them are behaviours that are being documented for the first time, yet they exist in CPUs since even the 486, for example. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
That's correct, Firefox doesn't support ANI files for cursors. Right, and it doesn't need to, because cursors are not the only way to reach the vulnerable code. Icons can do it, too. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many onyour network?
I have to agree with a previous poster and suspect (only suspect) it could somehow be a backdoor rather than a bug. Reminds me of the WMF SetAbortProc() backdoor accusation. :-) It was just bad design. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Code-Crunchers] windows vulnerability? [was: Re: 137 bytes]
Using the PE as a vector to attack the PE loader with (potential!) code execution for privilage esclation. Using the PE itself as a vector of attack. I made a malformed PE file that caused a BSOD in all Windows versions, including XP SP1. 99 bytes. :-) I don't know if it was exploitable, and Microsoft said it's not a vulnerability, but then they silently fixed it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows Command Processor CMD.EXE BufferOverflow
file:// ? OK, I'll bite. Why are file:// URLs relevant to the discussion? It allows arbitrary data to be passed to CMD.EXE, without first owning the system. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] tiny PE now at... 304 bytes. Is this the end?
Bah. Pikers. This guy got a Linux executable down to smaller than the ELF header. 45 bytes. http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html Yeahbut, that's equivalent to 450 bytes on Windows, isn't it? :-) No, it's equivalent to 144 bytes for NT and later, and 132 bytes for XP and later. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Genetic method to detect the presence of anyvirtual machine
Microsoft Virtual Machine VMWARE information disclosure Vulnerability This is not a vulnerability. Microsoft even document the motherboard method themselves. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] speaking of code crunching... (challenge)
I have 330 bytes, but without encryption. I could thank the virus writer whose file header I used, but I won't. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Steve Gibson smokes crack?
The file must not begin with the placeable (aka Aldus) meta file header. If it does begin with that, then the function is ignored, and Windows continues to parse the file. This is why Windows 9x, NT, and 2000, do not execute anything from within Internet Explorer, for example - they do not support WMF files without the Aldus header. Ahh, perfect! Thanks Peter that clears up a lot for me. In fact does this also infer that all you need is a crapped up pluggable viewer for IE on Windows 9x, etc. to exploit this flaw on one of those O/Ss? Yes, that's all you need. The functionality is all there, there's just no default method to trigger it. Does this further indicate that Office 98 and other M$ Office versions that run on the ealier O/Ss and support the WMF mapping are 'vulnerable' to exploitation - still ? That one remains unclear, since it depends on how the device context is created for displaying the file. Office might treat embedded WMF files as though they are placeable, in which case it's not vulnerable. I haven't had time yet to investigate. 8^) p. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: [ GLSA 200601-09 ] Wine:Windows MetafileSETABORTPROC vulnerability
There is no need for malformed input, though. The description isn't great, since upon return from the function, Windows will resume parsing the records in the usual way. IDK, but from reading the transcript there is malformed input in the form of an invalid record length that Gibson refers to, did you test the older metafile processing routines of the GDI, Peter? Yes, I looked at Windows 3.1 (yes, really), 98, NT4, 2000, and XP. The code is effective identical in all of those cases. It would be interesting to know whether the execution of a new thread is triggered by the same circumstances in all versions of Windows. What's more interesting is Steve's claim of a thread being created. No thread is created. The callback is part of the existing code path, it is called periodically while parsing the file. Perhaps he meant that the thread is created in order to parse the WMF file (which is true). I also don't know about the assertion of older versions of the GDI being vulnerable, but I *do* expect there may be merit in pursuing that. See above - they're all the same. The difference is only the registered handler or lack thereof. I think Gibson, if what he says is true makes an interesting argument concerning the invalid length == 1 issue. It would be interesting if it were true, but it's not, so it's not. Still, it is hard for me to concieve of this as being anything more than a design flaw that as someone said before resulted from 'ease of use / feature creep' -- perhaps it was even a requested feature by some third-party vendor, who knows? Like the all-powerful CreateObject() scripting function. 8^) p. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: [ GLSA 200601-09 ]Wine:Windows MetafileSETABORTPROC vulnerability
It's insecure-by-design, but it's working exactly as written. It's been in there for _15_ years, and ported to every version of Windows. Windows 3.0 supports it. :-/ I'm still having a bit of trouble following Gibson's explanation of how the WMF flaw works, but it's my impression he says it does *not* operate according to spec. And yet Wine is vulnerable. Am I wrong? Steve is wrong. Wine was (I believe that a patch was released) vulnerable because the function was documented exactly as it behaves, and they coded to that. 8^) p. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: [ GLSA 200601-09 ] Wine:Windows MetafileSETABORTPROC vulnerability
Todd Towles: Can anyone else verify Steve Gibson's assertion that this flaw was intentionally placed by Microsoft programmers? It's insecure-by-design, but it's working exactly as written. It's been in there for _15_ years, and ported to every version of Windows. Windows 3.0 supports it. :-/ bkfsec: The way I read what he's saying there, he's saying that you enter malformed input and that malformed input pushes the executable code into position to be executed... There is no need for malformed input, though. The description isn't great, since upon return from the function, Windows will resume parsing the records in the usual way. 8^) p. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE[Full-disclosure] WMF Risk Analysis for Win9X anyone ?
Did anyone conduct a compreensive risk analysis of the WMF vulnerability for Win9X/ME systems ? ISC analysis is very ambiguous, and MS position on the issue is more on the lines of we don't want to be bothered. What ARE the real risks (or lack of them) for Win9X/ME systems ? The same as for Windows NT and 2000 - files without the placeable header will not display automatically in applications such as Internet Explorer, and files with the placeable header are not allowed to call the vulnerable function. However, applications other than Internet Explorer, which do recognise files without the placeable header, can call directly into the GDI!PlayMetaFile() function, which will eventually call into the vulnerable function. 8^) p. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] WMF round-up, updates and de-mystification
In this URL you can find the best write-up I have seen on the WMF issue: http://blogs.securiteam.com/index.php/archives/167 http://blogs.securiteam.com/index.php/archives/167 By Matthew Murphy at the Securiteam Blogs. And yet, he calls it a bug, which it isn't. It's actually a feature, it has legitimate purposes, and has been present in Windows for 15 years, and people are noticing only now just what you can do with it. While I'm not defending Microsoft here, since I think that it was a poor design in the first place, let's at least get that part right. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: Re[2]: [Full-disclosure] test this
TrendMicro has released pattern file = 3.135.00 It appears to pick up all the trojans using the WMF exploit as of right now. Variants could affect this however. If they're blindly detecting anything that contains the SetAbortProc, then they're detecting the legitimate use of a documented function. Is this buffer overflow pretty specific like the older GIF exploit? If I remember correctly, there were really only two ways to make the GIF exploit work, so the detection was pretty solid. Is this exploit similar? Or does it have some trick point that could be used to fool known sigs? Perhaps you should read about it on Microsoft's site. It's not a buffer overflow. WMF files since at least Windows 3.0 days have been allowed to carry executable code in the form of their own SetAbortProc handler. This is perfectly legitimate, though the design is a poor one. The only thing that has changed is the code that is being executed. 8^) p. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Window's O/S
In C:\windows\ the file nnotepad.exe remained as I had changed it and a brand new (from the same date as the renamed exe) notepad.exe appeared and same under c:\windows\system32 and c:\windows\dllcache as well. ... So my question next is If I have renamed the whole lot that I could find, where did this replacement notepad.exe come from? and I cant really answer The dllcache version existed already. It's a local backup of files deemed important to system functionality. WFP noticed as soon as the original c:\windows\system32\notepad.exe was renamed, and restored it from the dllcache directory before you renamed that copy, too. Rename the dllcache copy first, then rename the system32 copy, and you'll see that the file does not reappear (unless you have the Windows CD in your drive at the time, in which case Windows will fetch it from there). 8^) p. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
I think I have found by chance this weekend a security bug,while browsing the website news, within iexplorer on all windows versions. I haven't enough knowledge (and don't want) into web browsers security to conduct a full investigation, at least It's a null pointer access, but it's not clear for me, yet, why it occurs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
I think I have found by chance this weekend a security bug,while browsing the website news, within iexplorer on all windows versions. I haven't enough knowledge (and don't want) into web browsers security to conduct a full investigation, at least Just the .supp IMG is enough to trigger it. It looks like a property list with one entry too many. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] No one else seeing the new MS05-039 worm yet?
... Lastly they don't point out that worm propagation based on the PnP vulnerability only occurs on the Win2K boxes. Win2K3 and WinXP require some user/machine action to exploit the vulnerability, and the malware can't infect those boxes independently. It's not quite like that. XP pre SP2 is vulnerable to attack. They will most likely crash because of a wrong address, but they can be reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection
Recently I discovered a method to defeat the much hyped Citi-Bank Virtual Keyboard Protection which the bank claimed that it defends the customers against malicious programs like keyloggers, Trojans and spywares etc. Wouldn't that be trivial to snoop on simply by making a trojan / spyware application that records a section of screen in the immediate proximity of mouse cursor on every mouse click? It's not that resource consuming, and easy to arrange. Something similar was done by variants of the W32/Dumaru family last year. That was an attack against the e-Gold keypad. You can read about it here: http://pferrie.tripod.com/vb/dumaru.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/