Multiple Remote Stack Overflow

[Guest]

[wovabo]

Hello

It seems like cmf is unable to detect the following multiple remote stack overflow triggered by http://webtest.scanit.be/bcheck/

Apple QuickTime 'QTPlugin.ocx' ActiveX Control Multiple Buffer Overflows
http://bcheck.scanit.be/bcheck/testdetails.php?id=23
http://www.securityfocus.com/archive/1/488045

According to the bo tester, my cmf 2.0.4.20 is properly installed and working.

Any ideas?

[Frosty Port]

i did not have the same results as you i went to the 1st link in your post and ran all 15 test and past all of them.i have a screen shot if anyone need to see it but this is a c/p of the test

    *   Passed  Mozilla crashes with evidence of memory corruption - passed
    * Passed Internet Explorer bait & switch race condition - passed
    * Passed Mozilla crashes with evidence of memory corruption - passed
    * Passed Internet Explorer createTextRange arbitrary code execution - passed
    * Passed Windows MDAC ADODB ActiveX control invalid length - passed
    * Passed Adobe Flash Player video file parsing integer overflow - passed
    * Passed XMLDOM substringData() heap overflow - passed
    * Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.5) - passed
    * Passed Opera JavaScript invalid pointer arbitrary code execution - passed
    * Passed Apple QuickTime MOV file JVTCompEncodeFrame heap overflow - passed
    * Passed Mozilla code execution via QuickTime Media-link files - passed
    * Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1. - passed
    * Passed Mozilla memory corruption vulnerabilities (rv:1.8.1.10) - passed
    * Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.12) - passed
    * Passed Apple QuickTime 'QTPlugin.ocx' ActiveX Control Multiple Buffer Overflows - passed 

[Opus Dei]

I passed all tests
I can not say if it is because of my browser Firefox 2.0.0.14 or because of CMF 2.0.4.20 or a combination of both but no buffer overflow here.

Ran all 15 test what browser are you using,

OD
edit added test 16

[Frosty Port]

i just did IE 7 and had the same out come passed all test have screen shot if any one needs to see it but both of my browsers has passed and IE 7 was not set up in any special way for  this test 

[MrBrian]

It seems like cmf is unable to detect the following multiple remote stack overflow triggered by http://webtest.scanit.be/bcheck/

Apple QuickTime 'QTPlugin.ocx' ActiveX Control Multiple Buffer Overflows

Is your QuickTime version newer than v7.4.1?  If so, then there should have been no buffer overflow, and hence no alert from CMF.

[wovabo]

Is your QuickTime version newer than v7.4.1?  If so, then there should have been no buffer overflow, and hence no alert from CMF.

I first downgraded my current quicktime player (7.4.5) to the vulnerable version 7.4.1 before running the security test, because i wanted to know if cmf would detect this known buffer overflow.

With quicktime 7.4.1 installed, my browser (IE 6.0.2900.2180) crashs during step nr. 16 of the security test, and cmf doesn't show any alerts. (With v7.4.5 the browser doesn't crash)

I have downloaded the outdated quicktime version from here:
http://filehippo.com/download_quicktime_player/3773/


Edit 1

Edit 2: CMF seems also unable to detect the heap overflow: http://bcheck.scanit.be/bcheck/testdetails.php?id=16
- Tested with IE 6.0.2900.2180 and quicktime player 7.1.6 downloaded from: http://filehippo.com/download_quicktime_player/2607/

However, i must say that i'm not really sure if these tests are real buffer overflows or just a sort of simulation. At least they crash my browser, so it can't be something harmless.

[Frosty Port]

crashs during step nr. 16

[ at ] wovabo I did FF & IE 7 and on both there was only 15 test i did not see #16 can you show where to get the other one?  thanks.

[wovabo]

[ at ] wovabo I did FF & IE 7 and on both there was only 15 test i did not see #16 can you show where to get the other one?  thanks.

Hello Frosty

There you go. http://bcheck.scanit.be/bcheck/listtests.php?action=choose

[Frosty Port]

 I did the test and got the same results [passed all].  i see what your saying you down graded your sys. I'm running a fully patched and up to date sys witch explains why the test are different. I think it would almost be safe to say that this exploit will do it's dirty deed ONLY if your sys is not up todate. i can not say what is stopping it from running CMF CFWP or the up todate sys/patches. but it sounds like from your test CMF CFWP may not help. and i do not know if this test is just tying to crash the browser if thats the case that would explain why it failed to work on a fully up todate sys witch is running the latest plug-ins. i think in that case it's not the job for CMF and thats why there is no alerts from it. maybe someone with a better under standing of the test will bring some closer to this thanks for the links         

[Tyler Durden]

Hi, this tests don't use the shellcode. CMF detects not the BO itself, but the shellcode execution, because all real BO attacks use shellcode (or ret2libc, which is actually some kind of shellcode too) that's why it doesn't detect it.

[wovabo]

Thanks for the clarification, Tyler.

[MrBrian]

Mr. Durden, would it be accurate to say that the test does not call any of the Windows APIs that CMF hooks, and that's why CMF did not alert? 

See http://forums.comodo.com/feedbackcommentsannouncementsnews/explanation_of_why_cmf_fails_some_buffer_overflow_tests-t22330.0.html for technical details on 3rd party buffer overflow protection products in general.

[Tyler Durden]

CMF doesn't backtrace stack frames, it just checks the page corresponding to it's internal page-buffer, so it doesn't vulnerable to fake frames. And again such tests doesn't use any shellcode at all, that's why CMF doesn't "detect" them.

[MrBrian]

CMF doesn't backtrace stack frames, it just checks the page corresponding to it's internal page-buffer, so it doesn't vulnerable to fake frames. And again such tests doesn't use any shellcode at all, that's why CMF doesn't "detect" them.

Thank you for the quick reply .  Even more details would be welcome, but I just read another post from you that CMF's exact protection mechanism is considered secret, so I guess I can't expect too much.

[MrBrian]

http://forums.comodo.com/feedbackcommentsannouncementsnews/multiple_remote_stack_overflow-t22239.0.html;msg155844#msg155844

Original link given had article text cut off at beginning.  New link does not.

[Tags:]