Flag: Tornado! Hurricane!

OpenRCE Article Comments: Technical Analysis of MS06-001

Article Abstract Microsoft Windows is vulnerable to remote code execution in GDI32.dll (Graphical Device Interface). This vulnerability was assigned Microsoft security bulletin MS06-001 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919). An exploit containing this vulnerability was found in the wild by Websense Security Labs on 12/27/2005.

This vulnerability was exploited in the wild as early as 12/15/2005 to install various malicious programs. In order to successfully exploit this vulnerability, an attacker is only required to lure the victim to an infected website. The number of websites currently hosting malicious code has steadily increased since the exploit was made public.

In this article, Stephan Chenette walks through the disassembly of GDI32.dll, providing a detailed analysis of the code flow leading to the vulnerability. Readers are expected to be familiar with x86 assembly instructions to follow this document.

Full Article ...    Printer Friendly ...

Article Comments
MohammadHosein Posted: Wednesday, February 15 2006 14:08.19 CST
thank you for this detailed and technical article , i would like to know if Pedram's Process Stalker has anything to say about this vuln or what ...

stephanc Posted: Monday, February 20 2006 12:19.50 CST
Mohammad,

I'm glad you enjoyed the article.

To answer your question:
I've used process stalker when I want to focus on code that runs in a particular scenary. It  helps in analyzing that binary but, the code auditor still needs to recognize the vulnerability or bug.

In this particular case, process stalker could have been used to filter out code that was run when a wmf file was loaded, then the code auditor would have to look through that filtered code.

Most code auditors would be looking for "common" security vulnerabilities (buffer overflows, heap overflows, integer overflows, etc), I'm guessing most auditors would miss this particular find. This section of code and the flow looks is  a legitamite save and execution of a callback function. The auditor would have had to track back the callback function to see that the function actually was saved from the WMF input file itself.

So, as much help as process stalker is in trimming out the useless code to look through...it's still up to the code auditor to recognize the vulns/bugs.

sefo Posted: Saturday, March 4 2006 05:42.35 CST
For a description of the exploit itself:
http://www.osix.net/modules/article/?id=783]Here


Add New Comment
Comment:










Active in Last 5 Minutes
st1

There are 30,637 total registered users.


Recently Created Topics
Question about debbu...
Apr/16
IDA PRO Struct Point...
Apr/15
problems with pseudo...
Apr/04
Problem with ollydbg
Mar/22
Should binaries be n...
Mar/22
Ida pro on infineon ...
Mar/10
need help about an D...
Feb/25
Stop a VB6 Applicati...
Feb/13
Add one new segment,...
Jan/23
64bit calc.exe Stack...
Jan/19


Recent Forum Posts
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin
Pydbg load() issue
phreak
Pydbg load() issue
netw0rm
How would you interp...
mbin
Pydbg load() issue
phreak


Recent Blog Entries
valeriegraey
Apr/23
KeraPlex Bio Review - Actua...

xiaofeng01
Apr/23
At Drug Rehabs in Autentic ...

xiaofeng01
Apr/23
Harry Vardon, British Golfe...

Harvelcrown
Apr/22
Stay Young and Beautiful

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

NeOXQuiCk on:
Nov/26
DONGLE

maharlee on:
Nov/21
Cheap Nike Shoes NZ,Nike Sh...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit