[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: RE: Re[2]: [Full-disclosure] test this
From: "Todd Towles" <toddtowles () brookshires ! com>
Date: 2005-12-29 21:51:32
Message-ID: 9E97F0997FB84D42B221B9FB203EFA2701FA040B () dc1ms2 ! msad ! brookshires ! net
[Download RAW message or body]
Yet in my defense, CERT calls it a "buffer overflow" ;)
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf
> Of Peter Ferrie
> Sent: Thursday, December 29, 2005 11:51 AM
> To: full-disclosure@lists.grok.org.uk
> Subject: RE: Re[2]: [Full-disclosure] test this
>
> >TrendMicro has released pattern file = 3.135.00 It appears
> to pick up
> >all the trojans using the WMF exploit as of right now.
> Variants could
> >affect this however.
>
> If they're blindly detecting anything that contains the
> SetAbortProc, then they're detecting the legitimate use of a
> documented function.
>
> >Is this buffer overflow pretty specific like the older GIF
> exploit? If
> >I remember correctly, there were really only two ways to
> make the GIF
> >exploit work, so the detection was pretty solid. Is this exploit
> >similar? Or does it have some trick point that could be used to fool
> >known sigs?
>
> Perhaps you should read about it on Microsoft's site.
> It's not a buffer overflow. WMF files since at least Windows
> 3.0 days have been allowed to carry executable code in the
> form of their own SetAbortProc handler. This is perfectly
> legitimate, though the design is a poor one. The only thing
> that has changed is the code that is being executed.
>
> 8^) p.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic