Microsoft: April 2005 Archives

There is now proof of concept code available for ms05-019 (Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)).

http://www.frsirt.com/exploits/20050417.ecl-winipdos.c.php

This one was actually interesting, an off-by-one

"When processing an IP packet with an option size (2nd byte after the option) of 39, it will crash - since the maximum available size is 40 for the whole IP options field, and two are already used:
[ OPT ] [ SIZE ] [ 38 more bytes ]
Checks are done to validate that the option-size field is less than 40, where a value less than !39! should be checked for validation.

Note that this doesn't affect ALL options, and is also dependant upon the underlying protocol. "

There is now PoC code for MS05-016, MS05-017, MS05-019, and MS05-020. The time for patching is now.

Proof of Concept code is now available for ms05-016, the Windows Shell remote code execution vulnerability.

http://downloads.securityfocus.com/vulnerabilities/exploits/ms05016.c

The code when compiled runs notepad.exe. Bad guys can likely use this to contruct their own versions for a email virus. The vulnerability is related to how the OS handles unregistered file types.

Doc, pdf,pif etc are examples of registered file types. An unregistered file type is anything else. So if I create a file with extension D0C (thats a zero), it may look like an expected word document, but its really the exploit.

Further anyone whose email antivirus is stuck in the stone age scanning specific file types only wont even scan this in inbound email. People who rely on blocking "dangerous" file types to fill in the gap from exploit release to virus definition update will be out of luck unless they choose to whitelist a few specific extensions instead of relying on blacklists. is.