Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by jansson_mark  :Im still having a bit trouble believing all this. Well, for starters I dont understand how the heck is Firefox connected to animated cursors of Windows in the first place. I just dont get it. Second, I havent SEEN and TRYED OUT any POC on my Firefox 2.0.0.3. It is getting more complicated than that..and depends on how you have the security set on IE or any other browser..
I can set IE6 up and it will not be hit..also same with IE7.
But I do understand your point.
Vulnerability Details
(Credit to Joe Stewart, SecureWorks)
The newly discovered zero-day vulnerability in the parsing of animated cursors is very similar to the one previously discovered by eEye that was patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated cursor RIFF file is read into a stack buffer of a fixed size (36 bytes) but the actual memory copy operation uses the length field provided inside the "anih" chunk—giving an attacker an easy route to overflow the stack and gain control of the execution of the process.
With the MS05-002 patch, Microsoft added a check for the length of the chunk before copying it to the buffer. However, they neglected to audit the rest of the code for any other instances of the vulnerable copy routine. As it turns out, if there are two "anih" chunks in the file, the second chunk will be handled by a separate piece of code which Microsoft did not fix. This is what the authors of the zero-day discovered.
Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:⁄WINDOWS⁄ or C:⁄WINNT⁄). This approach should successfully mitigate most "drive-by's," code execution scenarios, but it might also break third-party applications that use animated cursors within their own program directories.
For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files.
»zert.isotf.org/advisories/zert-2007-01.htm
Compromised sites using ANI exploit code
»www.websense.com/securitylabs/bl···ogID=119
Apr 2 2007 3:15PM ~ "Websense's ThreatSeeker(tm) technology has discovered that a large set of websites have been compromised within the Asia Pacific Region and have embedded IFRAMES within them pointing to a site that is hosting the ANI exploit code. An IFRAME or "invisible frame" is an element which makes it possible to embed another HTML document inside the main document. From Wikipedia: http://en.wikipedia.org/wiki/Iframe.
Although we are tracking hundreds of other sites that are hosting ANI exploit files this alert pertains to one group of sites that are all connecting to the same host. Many of the sites appear to be running online blogs or message boards. Most sites have embedded IFRAME's on all pages leading to a main set of sites which are hosting the exploit code. The number of unique sites currently up and running for this one attack is greater than 50 and the number of pages is greater than 500. Assuming users connect to the sites they will be redirected to two unique locations which are hosting exploit code which in turn downloads and installs a file called "ad.exe". The file includes a generic password stealer and is not detected well by most Antivirus companies (MD5 0c9217553871d3eb5f20b553d91a098b)..."
(Screenshots available at the URL above.)
http://forums.spybot.info/showthread.php?s=ddf7a0304bcf9398c9c38d1b84cde327&t=12557&page=2
--
Gladiator Security Forum http://www.gladiator-antivirus.com/ Missing Kids http://www.missingkids.com/ |
