Full Disclosure mailing list archives

Re: Windows .ANI LoadAniIcon Stack Overflow

From: "James Matthews" <nytrokiss () gmail com>
Date: Sun, 1 Apr 2007 18:45:21 -0700

Windows security has allways been pockmarked

On 4/1/07, George Ou <george_ou () lanarchitect net> wrote:


"ad () heapoverflow com said:
http://www.milw0rm.com/exploits/3634

str0ke told me to test this one and no miracle, it works under vista and
the
default DEP settings doesn't catch it."


Default DEP settings in Windows XP or Vista are worthless since it's off
for
all applications including IE7.  I tested with DEP always-on and it
crashed
IE7 and the exploit failed.

Note that when you manually launch an HTML from your hard drive, Protected
Mode is turned off because your HDD is considered a trusted source where
as
the public Internet is not.  If I had try to browse a webpage with this
exploit, protected mode would have been turned on.  I also had to manually
bypass the Active X warning to get the exploit to run and even then it
crashed with my fully-on DEP settings with hardware-enforcement.

I don't really feel like turning off my DEP settings on my Vista machine
though I have a feeling that UAC would prevent it from rooting my system
though it could probably damage my files if it were coded to do that.  But
I
had to go out of my way to get this exploit to run by manually downloading
the zip and manually enabling the ActiveX control just to get it to crash
my
browser.

So I think it's fair to say that hardware-enforced fully-enabled DEP will
defeat the ANI exploit (in the current generic state) all by itself.
Protected Mode would have also mitigated the ANI exploit to a low-risk
state
that is non-persistent as soon as IE is closed.

So with protected mode turned off, DEP not fully enabled (or missing NX
hardware), the ANI exploit would be able to compromise the local user
profile and data but it would still need to get around UAC if it wants to
put a backdoor in Vista.



George

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
http://www.goldwatches.com/watches.asp?Brand=39
http://www.wazoozle.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Windows .ANI LoadAniIcon Stack Overflow, (continued)
- - - Re: Windows .ANI LoadAniIcon Stack Overflow wac (Apr 08)
    - Re: Windows .ANI LoadAniIcon Stack Overflow Michal Majchrowicz (Apr 10)
    - Re: Windows .ANI LoadAniIcon Stack Overflow Brooks, Shane (Apr 10)
    - Re: Windows .ANI LoadAniIcon Stack Overflow Knud Erik Højgaard (Apr 10)
- Re: Windows .ANI LoadAniIcon Stack Overflow wac (Apr 01)
  - Re: Windows .ANI LoadAniIcon Stack Overflow Chris Lyon (Apr 01)
    - Re: Windows .ANI LoadAniIcon Stack Overflow dev code (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Goodfellas Research Security Team - Callax (Apr 01)
  - Re: Windows .ANI LoadAniIcon Stack Overflow Larry Seltzer (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow George Ou (Apr 01)
  - Re: Windows .ANI LoadAniIcon Stack Overflow James Matthews (Apr 01)
- Re: Windows .ANI LoadAniIcon Stack Overflow Kristian Hermansen (Apr 02)
- Re: Windows .ANI LoadAniIcon Stack Overflow KJKHyperion (Apr 02)