tag:blogger.com,1999:blog-14114712.post1491704476532841510..comments2024-03-03T02:04:07.138-08:00Comments on ADD / XOR / ROL: halvar.flakehttp://www.blogger.com/profile/12486016980670992738noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-14114712.post-78991770341842469402008-12-04T08:49:00.000-08:002008-12-04T08:49:00.000-08:00The vulnerability described in the MS08-067 was di...The vulnerability described in the MS08-067 was discovered a couple of weeks before the Security Bulletin was released. This vulnerability was discovered as part of the research activity on possible Malware exploitation of Windows XP. Once it was felt by Microsoft that the vulnerability that existed with the SERVER Service was “WORMABLE”, on October 23, 2008 they came up with the Security Bulletin MS08-067 for the said problem. Even within this short time span we have already seen three Malwares that are exploiting this CRITICAL Vulnerability.<BR/><BR/>Trojan.Gimmiv.A was discovered on 24 October 2008<BR/>http://www.symantec.com/en/ph/enterprise/security_response/writeup.jsp?docid=2008-102320-3122-99<BR/><BR/>W32.Wecorl was discovered on November 2, 2008<BR/>http://www.symantec.com/security_response/writeup.jsp?docid=2008-110306-2212-99<BR/><BR/>W32.Downadup was discovered on November 24, 2008<BR/>http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99<BR/><BR/>Moreover, also look at the dates and see the count of the viruses that have come out in the wild as soon as the Vulnerability was made public...<BR/><BR/>In short... is it by any means possible that "Patch Based Exploit Generation" has started?? Although it may seem very unlikely, but what if it really did start ???Rajhttps://www.blogger.com/profile/10630760564221599228noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-72565896715716700792008-04-25T11:52:00.000-07:002008-04-25T11:52:00.000-07:00I agree that the terminology in the paper is a bit...I agree that the terminology in the paper is a bit misleading (they say "exploit" but mostly mean "vulnerability trigger")<BR/><BR/>However, in section 4.1 they do mention how they (manually) can specify specific memory addresses to be overwritten, and the solver will generate input that meets this condition. So this could be used to generate partial exploit that overwrites some program-control structure with a user-controlled value. Not a fully-working exploit, but a bit further along than just a crash :)<BR/><BR/>One thing they also down-play a bit is that the "safety policy" needs to be tailored to the vulnerability, and they do not have polciies for all classes of vulns. (e.g. the IGMP CPU DoS, or ASP.Net issue). <BR/><BR/>So, while their paper definitely is a step forward towards automatic exploit generation, there is still a lot of know-how and manual intervention required.Markhttps://www.blogger.com/profile/12526059151966597203noreply@blogger.com