Full Disclosure mailing list archives
RE: Re[2]: test this
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 29 Dec 2005 15:51:32 -0600
Yet in my defense, CERT calls it a "buffer overflow" ;)
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Peter Ferrie Sent: Thursday, December 29, 2005 11:51 AM To: full-disclosure () lists grok org uk Subject: RE: Re[2]: [Full-disclosure] test thisTrendMicro has released pattern file = 3.135.00 It appearsto pick upall the trojans using the WMF exploit as of right now.Variants couldaffect this however.If they're blindly detecting anything that contains the SetAbortProc, then they're detecting the legitimate use of a documented function.Is this buffer overflow pretty specific like the older GIFexploit? IfI remember correctly, there were really only two ways tomake the GIFexploit work, so the detection was pretty solid. Is this exploit similar? Or does it have some trick point that could be used to fool known sigs?Perhaps you should read about it on Microsoft's site. It's not a buffer overflow. WMF files since at least Windows 3.0 days have been allowed to carry executable code in the form of their own SetAbortProc handler. This is perfectly legitimate, though the design is a poor one. The only thing that has changed is the code that is being executed. 8^) p. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: test this, (continued)
- Re: test this ad () heapoverflow com (Dec 29)
- Re: Re[2]: test this Valdis Shkesters (Dec 29)
- RE: Re[2]: test this Peter Ferrie (Dec 29)
- RE: Re[2]: test this Benjamin Franz (Dec 29)
- Re: test this Michael Holstein (Dec 29)
- RE: Re[2]: test this Todd Towles (Dec 29)
- RE: test this Todd Towles (Dec 29)
- RE: Re[2]: test this Todd Towles (Dec 29)
- RE: Re[2]: test this Todd Towles (Dec 29)
- Re: test this ad () heapoverflow com (Dec 29)
- RE: Re[2]: test this Todd Towles (Dec 29)