potzi sa o sugi fara sa o uzi ? (parerile sunt impartzite cu bindiff)

mielu.ro - blog

Quicksearch

Calendar

Back October '25
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
Materialele de pe acest site reprezinta un pamflet si trebuie tratate ca atare. Nu ne asumam raspunderea pentru eventualele daune provocate de ele... Daca acestea va jignesc in orice masura va rugam sa nu mai accesati siteul...

Friday, January 6. 2006

potzi sa o sugi fara sa o uzi ? (parerile sunt impartzite cu bindiff)

http://blogs.securiteam.com/index.php/archives/184

==== cut ====

So, Microsoft released a patch ahead of schedule. We can only applaud that.

But what does that patch do?
Exactly what Ilfak Guilfanov’s patch did, only he built it in a few hours (plus some testing).

Microsoft disallowed SETABORT. Same as Ilfak’s… rearranged a bit. See for yourselves below. If that is the best solution, we see no harm in that either. It just seems that MS06-001 is Ilfak’s patch in a prettier outfit.

We understand the need for extensive testing, so the time differential in this case can be accepted. And yet…
The new patch was released today. After patching, the new gdi32.dll is dated to the 28th of December. What’s the date today?

What’s that all about? It makes you wonder, doesn’t it?

Well, why don’t you see for yourselves? Here is what Microsoft did, as bindiff shows.

Old GDI32 has the bug here:

.text:77F24914 movzx eax, word ptr [ebx+6]
.text:77F24918 cmp eax, 0Fh
.text:77F2491B jz loc_77F25067 ; default
.text:77F24921 push 0 ; LPVOID
.text:77F24923 lea ecx, [ebx+0Ah]
.text:77F24926 push ecx ; LPCSTR
.text:77F24927 movzx ecx, word ptr [ebx+8]
.text:77F2492B push ecx ; int
.text:77F2492C push eax ; int
.text:77F2492D push dword ptr [ebp-7Ch] ; HDC
.text:77F24930 call Escape
.text:77F24935 jmp loc_77F23F23

The patched GDI32.DLL contains this code instead:

.text:77F24914 movzx ecx, word ptr [ebx+6]
.text:77F24918 push ecx
.text:77F24919 call _IsAllowedWmfEscape@4 ; IsAllowedWmfEscape(x)
.text:77F2491E test eax, eax
.text:77F24920 jz loc_77F2506C ; default
.text:77F24926 push 0 ; LPVOID
.text:77F24928 lea eax, [ebx+0Ah]
.text:77F2492B push eax ; LPCSTR
.text:77F2492C movzx eax, word ptr [ebx+8]
.text:77F24930 push eax ; int
.text:77F24931 push ecx ; int
.text:77F24932 push [ebp+var_7C] ; HDC
.text:77F24935 call _Escape@20 ; Escape(x,x,x,x,x)
.text:77F2493A jmp loc_77F23F23

… and the new function itself:

.text:77F42D66 ; __stdcall IsAllowedWmfEscape(x)
.text:77F42D66 _IsAllowedWmfEscape@4 proc near ; CODE XREF: PlayMetaFileRecord(x,x,x,x)+ACDp
.text:77F42D66
.text:77F42D66 arg_0 = dword ptr 8
.text:77F42D66
.text:77F42D66 mov edi, edi
.text:77F42D68 push ebp
.text:77F42D69 mov ebp, esp
.text:77F42D6B xor eax, eax
.text:77F42D6D cmp [ebp+arg_0], 9
.text:77F42D71 jz short loc_77F42D7A
.text:77F42D73 cmp [ebp+arg_0], 0Fh
.text:77F42D77 jz short loc_77F42D7A
.text:77F42D79 inc eax
.text:77F42D7A
.text:77F42D7A loc_77F42D7A: ; CODE XREF: IsAllowedWmfEscape(x)+Bj
.text:77F42D7A ; IsAllowedWmfEscape(x)+11j
.text:77F42D7A pop ebp
.text:77F42D7B retn 4
.text:77F42D7B _IsAllowedWmfEscape@4 endp

==== cut ====

Posted by Iancu Rasta at 22:30

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

The author does not allow comments to this entry

Categories

All categories

Syndicate This Blog

  • XML

Blog Administration

Open login screen