[REVS] Creating Arbitrary Shellcode in UNICODE Expanded Strings

From: support@securiteam.com
Date: 01/11/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 11 Jan 2002 11:01:27 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Creating Arbitrary Shellcode in UNICODE Expanded Strings
------------------------------------------------------------------------

SUMMARY

A very good paper regarding the exploitation of buffer overflows inside
UNICODE based strings has been published. The article discusses how to
exploit UNICODE based buffer overflows; how to write effective shellcode
for them and offers a real life example of the needed assembly code.

DETAILS

Abstract:
The paper is intended to be read by the portion of the security community
responsible for creating protective mechanisms to guard against
"shellcode" type security flaws; the intention is to remove the perception
that UNICODE buffer overflows are non exploitable and thereby improve the
general state of network security. It is often the case that several
classes of overflow or format string bug are labeled "denial of service"
attacks when in fact it is possible to execute arbitrary code. This paper
deals with one of these classes of overflow.

This paper introduces a technique (the "Venetian" exploit) that can be
used to permit the execution of a small amount of arbitrary code in a
situation where a buffer overflow occurs in a "UNICODE" string on the
Intel x86 processors. This situation is common in the Windows operating
systems but the technique is not operating system specific.

ADDITIONAL INFORMATION

For the complete article see the following URL:
 <http://www.nextgenss.com/papers/UNICODEbo.pdf>
http://www.nextgenss.com/papers/UNICODEbo.pdf

The information has been provided by Chris Anley .

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages