MS06-022
 Rhys (Faithless) <rhyskidd gmail com> |
Wednesday, June 14 2006 14:30.33 CDT |
The MS06-022 .art patch is a pretty good example to use if you want to test the waters in running some binary patch analysis.
The replaced files ( jgpl400.dll & jgdw400.dll ) are both tiny, and you can follow the code flow pretty easily. The guts of the patch is in jgpl400.dll, as the functions with the two versions of jgdw400.dll haven't actually changed.
I've got a comparison of the JgpStartUp code from jgpl400.dll where you can see the calls to JgAStartUp,
JgMDStartUP and sub_65B93190 have been dropped.
As .art is effectively a compression algorithm, I'd expect the flaw to exist as a basic stack overflow, probably occuring through manipulation of an int read from the file used to allocate a buffer into which decompressed data is written. There is also a good deal of conditional _CxxThrowException calls that are now included. It looks like VERY old code, and there's little need for it to remain in use. I could only find two example .art files and very sparse documentation on this AOL format.
Microsoft has seen the passing of .art's time too, if you apply the MS06-021 patch as well, .art support is removed from IE completely.
I've also been looking at Malbolge, the programming language from hell lately. Hopefully there will be an article out of it that delves into Malbolge, and announces some tools.
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |