Dailydave mailing list archives
Remotes and "remotes"
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 10 Apr 2007 15:15:53 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Some notes on MS07-019 - we threw a quick and dirty PoC into Partners and Kostya and I have looked at it to see what's up. Three things combine to make it "unexploitable": DEP, SafeSEH, and character filtering. DEP by default is on, since this is svchost.exe. According to Immunity Debugger, SafeSEH protects MOST dll's in the process, so although you can find a few to jump to...DEP protects the stack/heap so jumping directly to shellcode is unadvised, and those DLL's are rarely in the process. Office11, for example, throws an unprotected DLL into the process, but the filtering prevents you from reaching it, let alone using it for anything useful. Filling up the heap MIGHT work, but then DEP screws you again, and the filter makes your life rather hard even without it. Sans Diary has it split out into "Servers and Clients", but I notice that since they have no exploit information at all, they've listed the UPNP bug as Critical on both clients and servers. Of course, it only affects XP SP2. This isn't a server OS, so that doesn't make sense even if it was correct. We can't expect Swa ("the handler on duty" - a somewhat dirty title, no?) to do vulnerability research on each patch before posting the criticality of bugs, can we? My point is this: Not all critical bugs are "Critical". You can save a lot of money for a big organization by knowing which bugs are exploitable, and which ones are not. And kudo's to eEye for the wacky bugs of the month. Those are neat. - -dave [1]. Nothing is truly unexploitable, but let's say that any single exploit costing 150K and 4 months or more to develop into a 30% or less reliable exploit is "unexploitable". And that's where this one is, IMHO. Then again, I'm happy to be proved wrong. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGG+JnB8JNm+PA+iURAq14AKDOWX3jhR8HIs6FxZvDXOMkV2r2hQCeNzj4 lQ5ikOPkajFBn/WrSIzHdvQ= =dWDq -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Remotes and "remotes" Dave Aitel (Apr 10)