Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-4868 to a friend New vulnerability? New tool? Tell us	CVE-2006-4868 ZERT Analysis of CVE-2006-4668 (VML 0day) and Patch Description     Credit: The information has been provided by ZERT. For the paper's latest version, please visit: http://isotf.org/zert/papers/vml-details-20060928.pdf. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-4868 Details Check for CVE-2006-4868 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner This document provides a brief, quasi-technical analysis of CVE-2006-4868. The purpose is to disseminate information on the particular vulnerability and to assist with understanding of how the ZERT patch was designed to mitigate the flaw. Introduction The vulnerability in Microsoft's Vector Graphics Rendering Engine (vgx.dll) exists due to an overzealous for() loop that copies data from a large, dynamically allocated buffer into an inadequate, fixed-size buffer on the stack. The data being copied in this routine is usersupplied as a Vector Markup Language (VML) fill method attribute. Legitimate values for the attribute include none , any , linear, and sigma. A vulnerable version of the library will copy the user-supplied string without checking its size, allowing a malicious document containing an overly-long fill method string to cause data to be written outside of the destination buffer s boundaries. The ZERT patch for this vulnerability adds a check to the code before it can begin execution of the described loop. If the length of the user-supplied fill method string is greater than 512 bytes (size of destination buffer), the loop is avoided by making a jump to the function s cleanup instructions, and subsequently returns null. The function could return null for serveral reasons; such as if the fill method string does not contain any characters. By handling the overly-long string condition in this manner, we can be relatively certain that nothing out of the ordinary will happen. After patching, the library function will react to overly-long fill method strings with the same behavior as it exhibits when the fill method string is null. If the added conditional determines that the string is not greater than 512 bytes, it will allow the library function to enter the copy loop and proceed with normal execution of the program. You can find the paper here: http://isotf.org/zert/papers/vml-details-20060928.pdf  Comments on CVE-2006-4868:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®