RE: Re[2]: [Full-disclosure] test this

["Todd Towles" <toddtowles@xxxxxxxxxxxxxxx>]

Yet in my defense, CERT calls it a "buffer overflow" ;) 

> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf 
> Of Peter Ferrie
> Sent: Thursday, December 29, 2005 11:51 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: RE: Re[2]: [Full-disclosure] test this
> 
> >TrendMicro has released pattern file = 3.135.00 It appears 
> to pick up 
> >all the trojans using the WMF exploit as of right now. 
> Variants could 
> >affect this however.
>  
> If they're blindly detecting anything that contains the 
> SetAbortProc, then they're detecting the legitimate use of a 
> documented function.
>  
> >Is this buffer overflow pretty specific like the older GIF 
> exploit? If 
> >I remember correctly, there were really only two ways to 
> make the GIF 
> >exploit work, so the detection was pretty solid. Is this exploit 
> >similar? Or does it have some trick point that could be used to fool 
> >known sigs?
>  
> Perhaps you should read about it on Microsoft's site.
> It's not a buffer overflow.  WMF files since at least Windows 
> 3.0 days have been allowed to carry executable code in the 
> form of their own SetAbortProc handler.  This is perfectly 
> legitimate, though the design is a poor one.  The only thing 
> that has changed is the code that is being executed.
>  
> 8^) p.
>  
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/