Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)

To:	Alexander Sotirov <asotirov@determina.com>
Subject:	Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
From:	Jan Wrobel <wrobel@blues.ath.cx>
Date:	Sat, 31 Mar 2007 01:11:15 +0200
Cc:	bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
In-reply-to:	<460CA5CB.8080905@determina.com>
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm
References:	<460CA5CB.8080905@determina.com>
User-agent:	Mutt/1.5.9i

On Thu, 29 Mar 2007, Alexander Sotirov wrote:

> Today Microsoft released a security advisory about a vulnerability in the
> Animated Cursor processing code in Windows:
> http://www.microsoft.com/technet/security/advisory/935423.mspx
> 
> It seems like the vulnerability is already exploited in the wild:
> http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/

Bleeding Edge Threats made available Snort rule that detects some (all?)
exploits using this vulnerability:
http://www.bleedingthreats.net/index.php/2007/03/30/ms-ani-exploit-rule-details-emerging/

I don't know if this rule detects all possible exploits or just one
particular type. Here is a Firekeeper version of the rule, which can
be used to detect sites hosting malicious files:

alert (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; body_content:"|54 53 
49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 
52|"; reference:url,http://isc.sans.org/diary.html?storyid=2534; 
reference:url,http://www.avertlabs.com/research/blog/?p=233; 
reference:url,doc.bleedingthreats.net/2003519; fid:2003519; rev:1;)


Rule is triggered for example by the following images:                          
                                                             
http://www.i5460.net/admin12/2.jpg                                              
                                                                
http://www.i5460.net/admin12/1.jpg 


Cheers,
Jan Wrobel
http://firekeeper.mozdev.org

<Prev in Thread]	Current Thread	[Next in Thread>
0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038), Alexander Sotirov Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038), Jan Wrobel <= Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038), Alexander Sotirov RE: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows(CVE-2007-0038), Eric Sites Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038), Alexander Sotirov

Previous by Date:	TSRT-07-03: America Online SuperBuddy ActiveX Control Code Execution Vulnerability, TSRT
Next by Date:	Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038), Alexander Sotirov
Previous by Thread:	0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038), Alexander Sotirov
Next by Thread:	Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038), Alexander Sotirov
Indexes:	[Date] [Thread] [Top] [All Lists]