Bugtraq mailing list archives
VML Exploit vs. AV/IPS/IDS signatures
From: avivra <avivra () gmail com>
Date: Tue, 26 Sep 2006 17:04:37 +0300
The code for exploiting the unpatched VML vulnerability is in-the-wild for a week or so. This was enough time for Anti Virus, IPS/IDS and other reactive security products' vendors to create a signature for the in-the-wild exploit. So, I put my hand on one of the in-the-wild and tested it using Virus Total. The results were not so good. Only 10 of 27 Anti-Viruses detected the exploit on the malicious web page. Are those signatures generic enough? I've decided to check it out. I've used 5 simple methods, trying to evade being detected by the signature: 1) I've replaced the location where EIP should jump when the exploit is activated, with a different valid address. 2) I've replaced the VML element from "rect" with one of the other VML elements. 3) I've replaced the payload with a different valid shell code. 4) I've replaced the namespace key with a random key. 5) A combination of all of the above. Please note that when I changed the code using any of the methods, the exploit still worked. More info: http://aviv.raffon.net/2006/09/25/VMLExploitVsAVIPSIDSSignatures.aspx -- Aviv.
Current thread:
- VML Exploit vs. AV/IPS/IDS signatures avivra (Sep 26)
- Re: VML Exploit vs. AV/IPS/IDS signatures Pukhraj Singh (Sep 26)
- RE: VML Exploit vs. AV/IPS/IDS signatures Aviv Raff (Sep 26)
- Message not available
- Message not available
- Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures Pukhraj Singh (Sep 28)
- RE: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures avivra (Sep 28)
- Message not available
- Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures SanjayR (Sep 29)
- RE: VML Exploit vs. AV/IPS/IDS signatures Aviv Raff (Sep 26)
- Re: VML Exploit vs. AV/IPS/IDS signatures Pukhraj Singh (Sep 26)