Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

From: Alexander Sotirov <asotirov@xxxxxxxxxxxxx>
Date: Mon, 02 Apr 2007 01:49:42 -0700

Larry Seltzer wrote:

Perhaps your exploit proves this wrong, but it's the last I heard on the
subject. And even if there are only 256 slots how do you try more than
one? Isn't the first wrong one going to crash the browser?

Read our advisory:
http://www.determina.com/security.research/vulnerabilities/ani-header.html

It explains that the vulnerable code is wrapped in an exception handler that
recovers from access violations. That means that you can trigger the exploit
multiple times and try different addresses, increasing the chance of hitting the
right one (you only need 128 tries on average)

A much simpler solution is to use heap spraying (which works fine on Vista) for
systems that don't have DEP enabled.

As for the exploits in protected mode I'm sure there are things you can
do, but it's a huge step down from what you can do in XP and it's gone
as soon as you exit IE7

Unless somebody has a Vista exploit for the CSRSS kernel bug :-) In general I
agree that protected mode presents additional constraints on exploitation, but I
would reserve judgment until we've seen a few more exploits and more public
research.

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
  - From: Thierry Zoller

References:
- Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
  - From: Larry Seltzer
- Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
  - From: dev code
- Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
  - From: Larry Seltzer
- Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
  - From: Dave Aitel
- Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
  - From: Larry Seltzer

Prev by Date: Re: [Full-disclosure] Metasploit vs ANI
Next by Date: [Full-disclosure] 0day Oracle 10g exploit - dbms_aq.enqueue - become DBA
Previous by thread: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Next by thread: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Index(es):
- Date
- Thread

Relevant Pages

Re: Explorer needs to restart
... specifically the fault bucket number you get after Checking for Solutions ... that crash might be interesting, but it may take inspection of an actual ... Again no answer why Windows Explorer constantly crashes, ... We've been told that under Vista everything is ...
(microsoft.public.windows.vista.general)
Re: Explorer needs to restart
... found in the Problem Reports and Solutions Center control panel - ... specifically the fault bucket number you get after Checking for Solutions ... that crash might be interesting, but it may take inspection of an actual ... We've been told that under Vista everything is ...
(microsoft.public.windows.vista.general)
Re: WMP 11 on Vista Biz x64 Appcrash
... This was indeed the indiv001.key crash, ... See http://zachd.com/pss/pss.html for some helpful WMP info. ... When Vista booted it detected the hardware change. ... Fault Module Name: Indiv01.key ...
(microsoft.public.windows.vista.music_pictures_video)
Re: Explorer needs to restart
... specifically the fault bucket number you get after Checking for Solutions ... that crash might be interesting, but it may take inspection of an actual ... Again no answer why Windows Explorer constantly crashes, ... We've been told that under Vista everything is ...
(microsoft.public.windows.vista.general)
Re: C/C++/VB/dotnet app on Vista: Crash that occurs only when offline?
... I would put the app back into the crashing state, ... there is a crash in the application for some of our clients. ... This occurs for Vista clients only. ...
(microsoft.public.dotnet.general)