[Full-disclosure] More information on ZERT patch for ANI 0day

Hi, more information about the patch released April 1st can be found here:

http://zert.isotf.org/

Including:
1. Technical information.
2. Why this patch was released when eeye already released a third party
patch.

The newly discovered zero-day vulnerability in the parsing of animated
cursors is very similar to the one previously discovered by eEye that was
patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated
cursor RIFF file is read into a stack buffer of a fixed size (36
bytes) but the actual memory copy operation uses the length field provided
inside the "anih" chunk.giving an attacker an easy route to overflow the
stack and gain control of the execution of the process.

With the MS05-002 patch, Microsoft added a check for the length of the
chunk before copying it to the buffer. However, they neglected to audit
the rest of the code for any other instances of the vulnerable copy
routine. As it turns out, if there are two "anih" chunks in the file, the
second chunk will be handled by a separate piece of code which Microsoft
did not fix. This is what the authors of the zero-day discovered.

Although eEye has released a third-party patch that will prevent the
latest exploit from working, it doesn't fix the flawed copy routine. It
simply requires that any cursors loaded must reside within the Windows
directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should
successfully mitigate most "drive-by's," but might be bypassed by an
attacker with access to this directory.

For this reason, ZERT is releasing a patch which addresses the core of the
vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk
will be copied to the stack buffer, thus eliminating all potential exploit
paths while maintaining compatibility with well-formatted animated cursor
files.

Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • [Full-Disclosure] Re: Re: <to various comments>EEYE: Microsoft ASN.1 ...
    ... we have to reverse engineer the patch to do so. ... people complaining about us releasing all of the details... ... that they don't even understand our advisories in the first place. ... How many "backdoors" do you ...
    (Full-Disclosure)
  • [Full-disclosure] More information on ZERT patch for ANI 0day
    ... more information about the patch released April 1st can be found here: ... Basically an "anih" chunk in an animated ... ZERT is releasing a patch which addresses the core of the ...
    (Full-Disclosure)
  • Re: I feel a little let down by Microsoft - Anyone else? [SQL Slammer Worm ]
    ... Microsoft shouldn't stop at just releasing ... It's totally Microsoft's fault that six months after a patch is released, ... All code has bugs in it; many of these are exploitable security flaws. ... best that one can do is be vigilant before _and_ after release; ...
    (microsoft.public.security)
  • More information on ZERT patch for ANI 0day
    ... more information about the patch released April 1st can be found here: ... Why this patch was released when eeye already released a third party ... Basically an "anih" chunk in an animated ... ZERT is releasing a patch which addresses the core of the ...
    (Bugtraq)
  • Re: Unresponsive Vendor
    ... haven't released a patch yet, and ask for a status update. ... licensee) and I have considered releasing patch. ... In response to everyone who has said that I should not expect credit. ... I'm not expecting a check but a full ...
    (Security-Basics)