<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 08.00.0681.000">
<TITLE>[Full-disclosure] More information on ZERT patch for ANI 0day</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Can someone point out</FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">“</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">What</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">”</FONT></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri"> might one see or expect if exploited by this?</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Consolas">Message: 14</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Date: Sun, 1 Apr 2007 21:19:39 -0500 (CDT)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">From: Gadi Evron <ge@linuxbox.org></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Subject: [Full-disclosure] More information on ZERT patch for ANI 0day</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Message-ID: <Pine.LNX.4.21.0704012117261.14352-100000@linuxbox.org></FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Content-Type: TEXT/PLAIN; charset=US-ASCII</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Hi, more information about the patch released April 1st can be found here:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><A HREF="http://zert.isotf.org/"><SPAN LANG="en-us"><U><FONT COLOR="#0000FF" FACE="Consolas">http://zert.isotf.org/</FONT></U></SPAN><SPAN LANG="en-us"></SPAN></A><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Including:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">1. Technical information.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">2. Why this patch was released when eeye already released a third party</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">patch.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">The newly discovered zero-day vulnerability in the parsing of animated</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">cursors is very similar to the one previously discovered by eEye that was</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">cursor RIFF file is read into a stack buffer of a fixed size (36</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">bytes) but the actual memory copy operation uses the length field provided</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">inside the "anih" chunk.giving an attacker an easy route to overflow the</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">stack and gain control of the execution of the process.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">With the MS05-002 patch, Microsoft added a check for the length of the</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">chunk before copying it to the buffer. However, they neglected to audit</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">the rest of the code for any other instances of the vulnerable copy</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">routine. As it turns out, if there are two "anih" chunks in the file, the</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">second chunk will be handled by a separate piece of code which Microsoft</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">did not fix. This is what the authors of the zero-day discovered.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">Although eEye has released a third-party patch that will prevent the</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">latest exploit from working, it doesn't fix the flawed copy routine. It</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">simply requires that any cursors loaded must reside within the Windows</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">successfully mitigate most "drive-by's," but might be bypassed by an</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">attacker with access to this directory.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">For this reason, ZERT is releasing a patch which addresses the core of the</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">will be copied to the stack buffer, thus eliminating all potential exploit</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">paths while maintaining compatibility with well-formatted animated cursor</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">files. </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"> <FONT FACE="Consolas">Gadi.</FONT></SPAN></P>
<BR>
<BR>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Consolas">------------------------------</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Thank You</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Arial"><BR>
</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Randall M </FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> </SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">=====================</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Arial"> </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">“You too can have your very own Computer!”</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Arial"> </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Note: Side effects include:</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><BR>
</SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Blue screens; interrupt violation;</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Arial"><BR>
</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">illegal operations; remote code</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Arial"><BR>
</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">exploitations; virus and malware infestations;</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Arial"><BR>
</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">and other unknown vulnerabilities.</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Arial"> </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
</BODY>
</HTML>