Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

2006-12-21 Thread Pukhraj Singh 
Holy mackerel! Instances of this bug date back to 1999!

http://groups.google.ca/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/c5946bf40f227058/7bd7b5d66a4e5aff

--Pukhraj

On 12/21/06, Alexander Sotirov [EMAIL PROTECTED] wrote:
 3APA3A wrote:
  Killer{R}  assumes  the problem is in strcpy(), because it should not be
  used for overlapping buffers, but at least ANSI implementation of strcpy
  from  Visual  C  should be safe in this very situation (copying to lower
  addresses).  May be code is different for Windows XP or vulnerability is
  later in code.

 We discovered this bug some time ago and were preparing an advisory when it 
 was
 publicly disclosed. Since the exploit is already public, here's my analysis of
 the vulnerability:

 http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

 It's a double free bug that leads to arbitrary code execution in the CSRSS 
 process.

 Alex

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures

2006-09-28 Thread Pukhraj Singh 
And you tell me how many of these variants you will actually find in
the wild. Won't be a significant number I bet.

Cheers!
Pukhraj

On 9/27/06, avivra [EMAIL PROTECTED] wrote:
 Hi,

  i.e. I can't afford to buy specialized security tools/devices for
  speclialized attacks unless my company relies heavily on web/content
  services.

 So, you will buy specialized security tools like firewall or
 Anti-Virus, but not web content filtering tool?

  In our company, we established a information-sharing
  network with other security companies. So the real-time exploit-facing
  signatures were then subjected to live traffic, honeypots and countless
  variants; They seemed to work out pretty well.

 I would like to see how your real-time signatures get updated with the
 randomization implemented in the new VML metasploit module. Your
 countless exploit variants will become really innumerable.

 The problem is that the signatures are written for the exploit, and
 not for the vulnerability.

 -- Aviv.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures

2006-09-26 Thread Pukhraj Singh 
Avivra,

I acknowledge the research you and Ertunga
(http://www.immunitysec.com/pipermail/dailydave/2006-September/003557.html)
have put up.

Protection against client-side scripting vulnerabilities is the
Achilles' Heel for all network-style IDS/IPS vendors. These languages
offer too much flexibility over the syntax and semantics, thus
becoming the pain-point for the underlying architecture for
network-style IDS/IPS which are better accustomed to analyze
structured data (like protocols and even file-formats). There's is
simply too much you can mutate here and you can't expect vendors to
develop on-the-fly javascript parsers! Thus the protection they
develop is simply a business objective, as they can loose a lot
mileage here if they don't cover vulnerabilities like this one. They
had the same stance for file-format vulnerabilities till they were
forced to add decoding routines for them by the sheer number of new
file-based vulnerabilities which were coming out. AV and local-style
protection is the best defense mechanism here (but even they failed in
this case!).

However, the other way out is to gather the maximum number of exploit
variants as you can (from mutual cooperation between security
companies) and provide real-time exploit-facing protection against
them. This is what they generally do and it provides almost 99%
protection (might surprise many) because most out-in-the-wild exploits
are derived from few sources only.

Thanks,
Pukhraj

On 9/26/06, avivra [EMAIL PROTECTED] wrote:
 The code for exploiting the unpatched VML vulnerability is in-the-wild
 for a week or so. This was enough time for Anti Virus, IPS/IDS and
 other reactive security products' vendors to create a signature for
 the in-the-wild exploit.
 So, I put my hand on one of the in-the-wild and tested it using Virus
 Total. The results were not so good. Only 10 of 27 Anti-Viruses
 detected the exploit on the malicious web page.
 Are those signatures generic enough? I've decided to check it out.

 I've used 5 simple methods, trying to evade being detected by the signature:
 1) I've replaced the location where EIP should jump when the exploit
 is activated, with a different valid address.
 2) I've replaced the VML element from rect with one of the other VML 
 elements.
 3) I've replaced the payload with a different valid shell code.
 4) I've replaced the namespace key with a random key.
 5) A combination of all of the above.

 Please note that when I changed the code using any of the methods, the
 exploit still worked.

 More info: 
 http://aviv.raffon.net/2006/09/25/VMLExploitVsAVIPSIDSSignatures.aspx

 -- Aviv.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/