Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re[2]: test this

From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 29 Dec 2005 15:51:32 -0600
Yet in my defense, CERT calls it a "buffer overflow" ;) 


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk 
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
Of Peter Ferrie
Sent: Thursday, December 29, 2005 11:51 AM
To: full-disclosure () lists grok org uk
Subject: RE: Re[2]: [Full-disclosure] test this


TrendMicro has released pattern file = 3.135.00 It appears 

to pick up 

all the trojans using the WMF exploit as of right now. 

Variants could 

affect this however.

 
If they're blindly detecting anything that contains the 
SetAbortProc, then they're detecting the legitimate use of a 
documented function.
 

Is this buffer overflow pretty specific like the older GIF 

exploit? If 

I remember correctly, there were really only two ways to 

make the GIF 

exploit work, so the detection was pretty solid. Is this exploit 
similar? Or does it have some trick point that could be used to fool 
known sigs?

 
Perhaps you should read about it on Microsoft's site.
It's not a buffer overflow.  WMF files since at least Windows 
3.0 days have been allowed to carry executable code in the 
form of their own SetAbortProc handler.  This is perfectly 
legitimate, though the design is a poor one.  The only thing 
that has changed is the code that is being executed.
 
8^) p.
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: