Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Matthew Conover | 22 Jan 2007 08:00:00 GMT | 0 comments

Continued from Part 1...

Exploiting double free vulnerabilities: Case 1

The first way that a double free vulnerability can be exploited is when the first free puts the chunk on the Lookaside (which the Windows heap implementation tries to use before the FreeList since it's more efficient). When a chunk is freed to the Lookaside, the Chunk is still marked as busy (that is, Chunk.Flags & BUSY_FLAG is set) to prevent the chunk from being coalesced with the previous/next chunk. That's because entries on the Lookasidelist are meant to be a fast allocate/deallocate (akin to "fast bins" inthe GLIBC and related Unix heap implementations). By contrast, entrieson the FreeList are frequentlycoalesced when a chunk is being freed and the chunk before/after it isalso free (to make larger contiguous chunks of memory available...

Amado Hidalgo | 22 Jan 2007 08:00:00 GMT | 0 comments

Since I posted my blog last Friday, the Trojan.Peacomm threat has (not surprisingly) evolved. The attachments have new filenames, some dropped files have changed, and the subject lines of the spam email are also changing. Please have a look at the full details in our updated write-up here.

The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change:

peacomm_port7871-SRC_IPs.jpeg
Figure 1. IPs originating activity - UDP port 7871

More interestingly, the new version of the threat has...

Amado Hidalgo | 19 Jan 2007 08:00:00 GMT | 0 comments

Symantec Security Response has seen some moderate spamming of a new Trojan horse. The threat arrived in an email with an empty body and a variety of subjects such as:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

The attachment is not a video clip, but a Trojan horse program, which Symantec heuristic technology already detected as...

Amado Hidalgo | 19 Jan 2007 08:00:00 GMT | 0 comments

Symantec Security Response has seen some moderate spamming of a new Trojan horse. The threat arrived in an email with an empty body and a variety of subjects such as:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

The attachment is not a video clip, but a Trojan horse program, which Symantec heuristic technology already detected as...

Matthew Conover | 19 Jan 2007 08:00:00 GMT | 0 comments

In light of the recent CSRSS double free bug, I wanted to providesome information on the exploitation of double frees on Windows on XPSP2 and later. Prior to XP SP2, double frees were trivial to exploit,but now the security cookie (in each heap chunk) and safe unlinkingchecks make it more difficult to exploit. So this blog entry willdiscuss the exploitability on XP SP2 and later heap implements.

Note: If you're not familiar with Windows heap terminology, pleasereview the slides from our CanSecWest 2004 heap presentation, archivedhere: http://www.cybertech.net/~sh0ksh0k/projects/winheap.

Oded Horovitz and I did not look into this topic much in ouroriginal presentation on Reliable Windows Heap Exploitation atCanSecWest 2004. Later that same year, I discussed how to defeat thesafe unlinking check at SyScan 2004, but I did not consider itsrelevance to double free...

Amado Hidalgo | 19 Jan 2007 08:00:00 GMT | 0 comments

Symantec Security Response has seen some moderate spamming of a new Trojan horse. The threat arrived in an email with an empty body and a variety of subjects such as:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

The attachment is not a video clip, but a Trojan horse program, which Symantec heuristic technology already detected as...

Greg Ahmad | 18 Jan 2007 08:00:00 GMT | 0 comments

In my previous post,I talked about the sudden rise in vulnerabilities affecting ActiveXcontrols. In this post, I would like to talk a bit about the technologybehind ActiveX and various steps that may be taken to prevent attacks.

An ActiveX control is essentially an Object Linking and Embedding(OLE) object. OLE allows objects to be shared using Component ObjectModel (COM) technology, which is a model that permits softwarecomponents to communicate with each other. Distributed COM (DCOM) is anextension of COM that allows for the sharing of components over anetwork. ActiveX technology essentially facilitates the functionalityof OLE on the World Wide Web. The controls can run on platforms thatsupport COM or DCOM.

According to Microsoft, ActiveX controls must provide an interface named “...

Greg Ahmad | 18 Jan 2007 08:00:00 GMT | 0 comments

In my previous post, I talked about the sudden rise in vulnerabilities affecting ActiveX controls. In this post, I would like to talk a bit about the technology behind ActiveX and various steps that may be taken to prevent attacks.

An ActiveX control is essentially an Object Linking and Embedding (OLE) object. OLE allows objects to be shared using Component Object Model (COM) technology, which is a model that permits software components to communicate with each other. Distributed COM (DCOM) is an extension of COM that allows for the sharing of components over a network. ActiveX technology essentially facilitates the functionality of OLE on the World Wide Web. The controls can run on platforms that support COM or DCOM.

According to Microsoft, ActiveX controls must provide an interface named “...

Peter Ferrie | 17 Jan 2007 08:00:00 GMT | 0 comments

Last year, I found a curious bug in Windows regarding the handlingof certain invalid opcode sequences. At the time, I simply documentedit and then forgot about it. Recently, however, I was reminded of thebug, so I thought that other people might be interested in readingabout it.

Because of the way in which the Intel x86 architecture works, whenan invalid opcode exception occurs, there is no easy way to tell why itoccurred. By this, I mean that without actually looking at the faultingopcode sequence, it's not possible to tell the difference between anunsupported opcode and an invalid use of the LOCK prefix. For thisreason, Windows runs this code:

mov ecx, 4 ;maximum prefix count
look_op:
mov al, byte ptr es:[esi] ;points to faulting opcode sequence
cmp al, f0h ;looks like LOCK?
je op_lock ;yes
add esi, 1 ;no, continue with next byte
loop look_op...

Greg Ahmad | 16 Jan 2007 08:00:00 GMT | 0 comments

The year 2006 saw the rise of numeroussecurity trends such as attacks against social networks, initiatives byresearchers to sequentially disclose many flaws in Web browsers andoperating system kernels, attacks being used for financial gain, and adramatic increase in the number of vulnerabilities affecting Webapplications. During the last few months of the year, I have noticedanother trend that did not receive much attention. There has been asignificant increase in the vulnerabilities that affect ActiveXcontrols. These vulnerabilities can facilitate an assortment of attacksthat may simply cause the disclosure of sensitive information to anattacker or, in the worst-case scenario, allow them to execute code togain unauthorized access to an affected computer.

During the last few years there has been an increase in the numberof vulnerabilities affecting ActiveX controls shipped by variousvendors. In the year 2001, DeepSight Alert Services reported a singlevulnerability...