OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Re[2]: [Full-disclosure] test this

From: Peter Ferrie (pferriesymantec.com)
Date: Thu Dec 29 2005 - 11:51:02 CST


>TrendMicro has released pattern file = 3.135.00
>It appears to pick up all the trojans using the WMF exploit as of right
>now. Variants could affect this however.
 
If they're blindly detecting anything that contains the SetAbortProc, then they're detecting the legitimate use of a documented function.
 
>Is this buffer overflow pretty specific like the older GIF exploit? If I
>remember correctly, there were really only two ways to make the GIF
>exploit work, so the detection was pretty solid. Is this exploit
>similar? Or does it have some trick point that could be used to fool
>known sigs?
 
Perhaps you should read about it on Microsoft's site.
It's not a buffer overflow. WMF files since at least Windows 3.0 days have been allowed to carry executable code in the form of their own SetAbortProc handler. This is perfectly legitimate, though the design is a poor one. The only thing that has changed is the code that is being executed.
 
8^) p.
 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/