Full Disclosure: Re: [funsec] Technical Paper on the ZERT Patch and VML [was: Re: ZERT patch for setSlice()]

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: [funsec] Technical Paper on the ZERT Patch and VML [was: Re: ZERT patch for setSlice()]

From: Alexander Sotirov <asotirov () determina com>
Date: Wed, 04 Oct 2006 11:39:57 -0700

Gadi Evron wrote:

Our (ZERT's) VML patch was what you refer to as "real". There was space
issue with not enough bytes to play with, so Gil Dabah, one of our
members, re-wrote the vulnerable function in Yasm, compiled it, and
hard-coded the compiled code into the binary, with room to spare, saving
functionality. Code crunching is back in style. :)


Rewriting the entire function in asm is a lot of unnecessary effort. Why didn't
you add a simple length check and a 5-byte jump to it in the vulnerable function?

Patch right before the call to _IE5_SHADETYPE_TEXT::TOKENS::Ptok, check the
length of the string, and you're done. Or you can patch the copy loop and count
the characters there. It's easier and safer than rewriting the function.

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Technical Paper on the ZERT Patch and VML [was: Re: ZERT patch for setSlice()] Gadi Evron (Oct 04)
- Re: [funsec] Technical Paper on the ZERT Patch and VML [was: Re: ZERT patch for setSlice()] Alexander Sotirov (Oct 04)
  - Re: [funsec] Technical Paper on the ZERT Patch and VML [was: Re: ZERT patch for setSlice()] Gadi Evron (Oct 08)