Flag: Tornado! Hurricane!

OpenRCE Article Comments: Technical Analysis of MS06-001

Article Abstract Microsoft Windows is vulnerable to remote code execution in GDI32.dll (Graphical Device Interface). This vulnerability was assigned Microsoft security bulletin MS06-001 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919). An exploit containing this vulnerability was found in the wild by Websense Security Labs on 12/27/2005.

This vulnerability was exploited in the wild as early as 12/15/2005 to install various malicious programs. In order to successfully exploit this vulnerability, an attacker is only required to lure the victim to an infected website. The number of websites currently hosting malicious code has steadily increased since the exploit was made public.

In this article, Stephan Chenette walks through the disassembly of GDI32.dll, providing a detailed analysis of the code flow leading to the vulnerability. Readers are expected to be familiar with x86 assembly instructions to follow this document.

Full Article ...    Printer Friendly ...

Article Comments
MohammadHosein Posted: Wednesday, February 15 2006 14:08.19 CST
thank you for this detailed and technical article , i would like to know if Pedram's Process Stalker has anything to say about this vuln or what ...

stephanc Posted: Monday, February 20 2006 12:19.50 CST
Mohammad,

I'm glad you enjoyed the article.

To answer your question:
I've used process stalker when I want to focus on code that runs in a particular scenary. It  helps in analyzing that binary but, the code auditor still needs to recognize the vulnerability or bug.

In this particular case, process stalker could have been used to filter out code that was run when a wmf file was loaded, then the code auditor would have to look through that filtered code.

Most code auditors would be looking for "common" security vulnerabilities (buffer overflows, heap overflows, integer overflows, etc), I'm guessing most auditors would miss this particular find. This section of code and the flow looks is  a legitamite save and execution of a callback function. The auditor would have had to track back the callback function to see that the function actually was saved from the WMF input file itself.

So, as much help as process stalker is in trimming out the useless code to look through...it's still up to the code auditor to recognize the vulns/bugs.

sefo Posted: Saturday, March 4 2006 05:42.35 CST
For a description of the exploit itself:
http://www.osix.net/modules/article/?id=783]Here


Add New Comment
Comment:










There are 30,779 total registered users.


Recently Created Topics
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17
OllyDBG Process Term...
Apr/28
Reversing opcode
Apr/24
Question about debbu...
Apr/16
IDA PRO Struct Point...
Apr/15
Problem with ollydbg
Mar/22


Recent Forum Posts
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin
Pydbg load() issue
phreak


Recent Blog Entries
oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

gareebnavas
Jan/21
Android Malware Analysis

oleavr
Dec/21
frida.github.io: scriptable...

chr1x
Nov/05
!apilookup - Win32 API Func...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

newlulu on:
Jun/10
Advanced debugging techniques

newlulu on:
Jun/10
2 anti-trace mechanisms spe...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit