[REVS] Bugger The Debugger

• Previous message: SecuriTeam: "[NEWS] Jar Tool Directory Transversal Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 12 Apr 2005 11:12:07 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Bugger The Debugger
------------------------------------------------------------------------

SUMMARY

The paper linked below will demonstrate methods that may be used by
malware to execute code, simply by being loaded into a debugging session.
This code execution occurs before the debugger passes control back to the
user and therefore cannot be prevented.

DETAILS

Abstract:
The use of debuggers to analyse malicious or otherwise unknown binaries
has become a requirement for reverse engineering executables to help
determine their purpose.

While researchers in places such as anti-virus laboratories have always
done this, with the availability of free and easy to use debuggers it has
also become popular with corporate security officers and home users. One
of the main purposes of a debugger is to allow the user to control the
execution of a binary in such a way as to determine what instructions or
commands the binary is executing. During malware analysis the user can
modify what the binary is trying to execute, or prevent it all together.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:brett.moore@security-assessment.com> Brett Moore.
The original article can be found at:
<http://www.security-assessment.com/Whitepapers/PreDebug.pdf>
http://www.security-assessment.com/Whitepapers/PreDebug.pdf

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Jar Tool Directory Transversal Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] Multiple Vendor Insecure use of CreateProcess() ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Improper use of Windows API command CreateProcess allows attackers to ... until a module is encountered to execute. ... This creates a scenario whereby arbitrary code could be executed. ... (Securiteam) [NT] Switch Off Multiple Vulnerabilities ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Stack-based Buffer Overflow: ... execute arbitrary code on the remote system - possibly with SYSTEM ... boundaries until the ecx register reaches zero (where the ecx was the ... (Securiteam) [NEWS] URL Parsing and Plain Text Password disclosure in Best Buy Employee Toolkit Software ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... entered in the URL area and an attacker could use this to execute a local ... command shell or execute other programs locally stored. ... Store's central server. ... (Securiteam) [UNIX] Open Webmail Remote Command Execution (userstat.pl) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote attacker can run arbitrary commands with the web ... The vulnerability was discovered in an obsolete script named userstat.pl ... commands an attacker would want to execute. ... (Securiteam) [UNIX] xloadimage Multiple Vulnerabilities (Buffer Overflow, Command Execution) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... to execute arbitrary commands via malformed images. ... Multiple buffer overflow in xloadimage allow remote attackers to execute ... Under Linux the buffer overflows allow remote attackers to execute ... (Securiteam)