|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [funsec] Technical Paper on the ZERT Patch and VML [was: Re: ZERT patch for setSlice()]
From: Alexander Sotirov (asotirov
determina.com)
Date: Wed Oct 04 2006 - 13:39:57 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gadi Evron wrote:
> Our (ZERT's) VML patch was what you refer to as "real". There was space
> issue with not enough bytes to play with, so Gil Dabah, one of our
> members, re-wrote the vulnerable function in Yasm, compiled it, and
> hard-coded the compiled code into the binary, with room to spare, saving
> functionality. Code crunching is back in style. :)
Rewriting the entire function in asm is a lot of unnecessary effort. Why didn't
you add a simple length check and a 5-byte jump to it in the vulnerable function?
Patch right before the call to _IE5_SHADETYPE_TEXT::TOKENS::Ptok, check the
length of the string, and you're done. Or you can patch the copy loop and count
the characters there. It's easier and safer than rewriting the function.
Alex
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]