Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Remotes and "remotes"

From: Dave Aitel <dave () immunityinc com>
Date: Tue, 10 Apr 2007 15:15:53 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some notes on MS07-019 - we threw a quick and dirty PoC into Partners
and Kostya and I have looked at it to see what's up.

Three things combine to make it "unexploitable":
DEP, SafeSEH, and character filtering.

DEP by default is on, since this is svchost.exe.
 
According to Immunity Debugger, SafeSEH protects MOST dll's in the
process, so although you can find a few to jump to...DEP protects the
stack/heap so jumping directly to shellcode is unadvised, and those
DLL's are rarely in the process. Office11, for example, throws an
unprotected DLL into the process, but the filtering prevents you from
reaching it, let alone using it for anything useful.

Filling up the heap MIGHT work, but then DEP screws you again, and the
filter makes your life rather hard even without it.

Sans Diary has it split out into "Servers and Clients", but I notice
that since they have no exploit information at all, they've listed the
UPNP bug as Critical on both clients and servers. Of course, it only
affects XP SP2. This isn't a server OS, so that doesn't make sense
even if it was correct. We can't expect Swa ("the handler on duty" - a
somewhat dirty title, no?) to do vulnerability research on each patch
before posting the criticality of bugs, can we?

My point is this: Not all critical bugs are "Critical".  You can save
a lot of money for a big organization by knowing which bugs are
exploitable, and which ones are not.

And kudo's to eEye for the wacky bugs of the month. Those are neat.

- -dave


[1]. Nothing is truly unexploitable, but let's say that any single
exploit costing 150K and 4 months or more to develop into a 30% or
less reliable exploit is "unexploitable". And that's where this one
is, IMHO. Then again, I'm happy to be proved wrong.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGG+JnB8JNm+PA+iURAq14AKDOWX3jhR8HIs6FxZvDXOMkV2r2hQCeNzj4
lQ5ikOPkajFBn/WrSIzHdvQ=
=dWDq
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: