matunga
join:2003-07-26
|  Firefox 2 is vulnerable to ANI flaw
This is a short flash video of exploiting the ANI vulnerability on Windows Vista. The exploit works against both Internet Explorer 7 and Mozilla Firefox 2.0:
»determina.blogspot.com/2007/04/e···ani.html |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | The exploit is more severe in Fx! And over at Mozillazine they have been pooh-pooing this entire thing.
Thanks for the link. I don't have Flash Player on my main machine but I do have it on a virtual one so I watched this there. |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| reply to matunga
Im still having a bit trouble believing all this.
Well, for starters I dont understand how the heck is Firefox connected to animated cursors of Windows in the first place. I just dont get it. Second, I havent SEEN and TRYED OUT any POC on my Firefox 2.0.0.3.
--
My computer security & privacy related homepage »www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by jansson_mark  :Im still having a bit trouble believing all this. Well, for starters I dont understand how the heck is Firefox connected to animated cursors of Windows in the first place. I just dont get it. Second, I havent SEEN and TRYED OUT any POC on my Firefox 2.0.0.3. It is getting more complicated than that..and depends on how you have the security set on IE or any other browser..
I can set IE6 up and it will not be hit..also same with IE7.
But I do understand your point.
Vulnerability Details
(Credit to Joe Stewart, SecureWorks)
The newly discovered zero-day vulnerability in the parsing of animated cursors is very similar to the one previously discovered by eEye that was patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated cursor RIFF file is read into a stack buffer of a fixed size (36 bytes) but the actual memory copy operation uses the length field provided inside the "anih" chunk—giving an attacker an easy route to overflow the stack and gain control of the execution of the process.
With the MS05-002 patch, Microsoft added a check for the length of the chunk before copying it to the buffer. However, they neglected to audit the rest of the code for any other instances of the vulnerable copy routine. As it turns out, if there are two "anih" chunks in the file, the second chunk will be handled by a separate piece of code which Microsoft did not fix. This is what the authors of the zero-day discovered.
Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:⁄WINDOWS⁄ or C:⁄WINNT⁄). This approach should successfully mitigate most "drive-by's," code execution scenarios, but it might also break third-party applications that use animated cursors within their own program directories.
For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files.
»zert.isotf.org/advisories/zert-2007-01.htm
Compromised sites using ANI exploit code
»www.websense.com/securitylabs/bl···ogID=119
Apr 2 2007 3:15PM ~ "Websense's ThreatSeeker(tm) technology has discovered that a large set of websites have been compromised within the Asia Pacific Region and have embedded IFRAMES within them pointing to a site that is hosting the ANI exploit code. An IFRAME or "invisible frame" is an element which makes it possible to embed another HTML document inside the main document. From Wikipedia: http://en.wikipedia.org/wiki/Iframe.
Although we are tracking hundreds of other sites that are hosting ANI exploit files this alert pertains to one group of sites that are all connecting to the same host. Many of the sites appear to be running online blogs or message boards. Most sites have embedded IFRAME's on all pages leading to a main set of sites which are hosting the exploit code. The number of unique sites currently up and running for this one attack is greater than 50 and the number of pages is greater than 500. Assuming users connect to the sites they will be redirected to two unique locations which are hosting exploit code which in turn downloads and installs a file called "ad.exe". The file includes a generic password stealer and is not detected well by most Antivirus companies (MD5 0c9217553871d3eb5f20b553d91a098b)..."
(Screenshots available at the URL above.)
http://forums.spybot.info/showthread.php?s=ddf7a0304bcf9398c9c38d1b84cde327&t=12557&page=2
--
Gladiator Security Forum http://www.gladiator-antivirus.com/ Missing Kids http://www.missingkids.com/ |
|
angussf
Premium
join:2002-01-11
Tucson, AZ | reply to matunga
I went to a site which purports to test your browser and my Firefox 2.0.0.3 with NoScript was not vulnerable. IE6 with scripting disabled is also not vulnerable. |
|
matunga
join:2003-07-26
4 edits | said by angussf :I went to a site which purports to test your browser and my Firefox 2.0.0.3 with NoScript was not vulnerable. IE6 with scripting disabled is also not vulnerable. Sorry, but javascript is not involved in this flaw, so Firefox 2.0.0.3 is affected with or without NoScript.
The only browser not at risk is Internet Explorer 7 under Windows Vista because the Protected Mode (enabled by default) |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | reply to matunga
the poc listed below did not crash FF (on either XP or W2K)
»zert.isotf.org/tests/testani.htm
It closed IE7 but not IE6
Cudni |
|
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX | Hmm... with hardware DEP on... It didn't crash ff or cause IE7 to close...
--
da Cajun Darn I hate Malware |
|
MeDuZa
join:2003-06-13
Austria
| reply to matunga
said by matunga :The only browser not at risk is Internet Explorer 7 under Windows Vista because the Protected Mode (enabled by default) No crash here. I'm getting the below message with both browsers Opera and K-Meleon on w2k.
quote:
you do not appear to be vulnerable to the ie ani cursor exploit
for more information about the exploit and the patch visit: zert
Is there any other test site to check?
--
Reality corrupted. Reboot universe? (Y/N) |
|
Jrb2
Premium
join:2001-08-31
| reply to Cudni
Hi Cudni,
IMON (NOD32) immediately jumps up with a warning (see screenie) when clicking on that link.
Then I see: "you do not appear to be vulnerable to the ie ani cursor exploit" (etc etc). |
|
Boricua65
join:2002-01-26
Puerto Rico | reply to matunga
I don't use animated cursors, so I should be okay? I use Firefox 2.0.0.3 as the main browser and IE 6 when pages do not render well and for updates. Or are they talking about the cursors installed from Windows. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to matunga
said by matunga :... Firefox 2.0.0.3 is affected with or without NoScript. The only browser not at risk is Internet Explorer 7 under Windows Vista because the Protected Mode (enabled by default) ANI patch not applied, WINXP home w/current patches, user has admin rights.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.
|
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to Cudni
The screenshot is what I get with Firefox 2.0.0.3 at that link.
I notice they call it an "ie exploit". Just poor characterization on their part? |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to matunga
I thought we already established in the other thread about this that js IS involved, and that there is conflicting info on which browsers may or may not be affected?
»Microsoft Security Advisory (935423) Vulnerability in Window
»www.securityfocus.com/brief/473
Why start a new thread? It just makes it more confusing and harder to keep up with.
--
~~Don't wanna' fight in a holy war...World war III when are you coming for me? Been kicking up sparks, we set the flames free...the windows are locked now so what'll it be? A house on fire or a rising sea?...~~
|
|
AB
Premium
join:2006-04-04
Leesburg, VA
| I think it was brought out in the other thread that javascript was *not* involved, beyond the browser re-direction nature of sending you to a page hosting the exploit, regardless of how it was presented in the 'Security Focus' article.
A CSS code trojan/worm, was what I got from it.
But there definitely seems to be a lot more confusion about what's up with this one than is ordinarily the case.
Why start a new thread? It just makes it more confusing and harder to keep up with. So many threads, so little time . . . .   |
|
planet
join:2001-11-05
Olmsted Falls, OH | Would this exploit be less destructive to a machine running in a limited user account? |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| said by planet :Would this exploit be less destructive to a machine running in a limited user account? I hold myself out as no big security expert, but I think that's the case pretty much regardless of the nature of the exploit, isn't it? |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to matunga
said by matunga :This is a short flash video of exploiting the ANI vulnerability on Windows Vista. The exploit works against both Internet Explorer 7 and Mozilla Firefox 2.0: » determina.blogspot.com/2007/04/e···ani.html »www.us-cert.gov/cas/techalerts/T···89A.html
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
somebodynew5
@direcpc.com
| reply to AB
I think the biggest problem with these Proof of Concept test pages is people think that just because they pass one particular test that says their system is safe they think they are safe.
These proof of concept pages often only test a limited subset of all possible attack vectors. So while one proof of concept page may only trigger the exploit under IE there may also be attack vectors available under Firefox that are simply not exploited by the particular POC test page. A simple change to the exploit code may be able to attack using other browsers or avenues of exploit.
Much like all pages do not render the same under all browser many core operating system exploits require some minor code changes to target other browsers.
So any time the flaw is located in the underlying operating system just using a different browser may not close all available attack vectors. It all depends on the actual exploit. In this case the exploit can be triggered by some CSS code to load a ANI cursor file, So with some tweaks I am sure it is quite possible to cause Firefox to attempt to load a ANI file into windows.
|
|
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX | Just an FYI folks.. there is a patch available at windows update... even as I type...
--
da Cajun Darn I hate Malware |
|
