The vulnerability researcher responsible for part of MS10-012, Hernan Ochoa, from Hexale / Core Security and author of UHooker will be releasing an advisory on the Weak NTLM Entropy. I am hoping his post goes into detail and he provides some kind of proof of conecpt. Keep an eye on thatsBroken for a breakdown and review of this vulnerability…
Using TurboDiff 1.0.1b2 from core I am doing a binary diff of srvsys between MS09-001 and MS10-012
The file size has grown by almost 20k so we can expect to see some signifigant change. Thankfully TurboDiff does a great job of matching functions… lets take a look:
————————————————————-
matched functions: 14
[.] 000267f3 sub_267F3 – 00022df3 sub_22DF3
[.] 00027b74 sub_27B74 – 00024174 sub_24174
[.] 00028cd7 sub_28CD7 – 000252d7 sub_252D7
[.] 0002ad05 sub_2AD05 – 00027305 sub_27305
[.] 0002bbe8 sub_2BBE8 – 000281df sub_281DF
[.] 0002c4c3 sub_2C4C3 – 00028abb sub_28ABB
[.] 0002c9a7 sub_2C9A7 – 00028f9f sub_28F9F
[.] 0003aee7 sub_3AEE7 – 000374cf sub_374CF
[.] 0003c099 sub_3C099 – 00038681 sub_38681
[.] 0003e3a5 sub_3E3A5 – 0003a81b sub_3A81B
[.] 00045a7b sub_45A7B – 00041f39 sub_41F39
[.] 0004c063 sub_4C063 – 00048519 sub_48519
[.] 00050033 sub_50033 – 0004c4fd sub_4C4FD
[.] 000520bd sub_520BD – 0004e597 sub_4E597
————————————————————-
unmatched functions1: 53
00013052 sub_13052
0001319f sub_1319F
00013902 sub_13902
00014459 sub_14459
000156f8 sub_156F8
0001623d sub_1623D
0001dabb sub_1DABB
000207d1 sub_207D1
00020831 sub_20831
00020886 PsGetCurrentThreadId
00020891 PsGetCurrentProcessId
00020aab sub_20AAB
00020b8e sub_20B8E
00020cb3 sub_20CB3
00020d69 sub_20D69
00020e33 sub_20E33
00020ee4 sub_20EE4
00020f18 sub_20F18
00021055 sub_21055
000210f6 sub_210F6
000442a9 sub_442A9
0005c7a8 sub_5C7A8
0005c7ea sub_5C7EA
0005c805 sub_5C805
0005cc5d sub_5CC5D
0005cd7b sub_5CD7B
0005cdbd sub_5CDBD
0005ce42 sub_5CE42
0005cea4 sub_5CEA4
0005cedf sub_5CEDF
0005cf13 sub_5CF13
0005d059 sub_5D059
0005d0bc sub_5D0BC
0005d180 sub_5D180
0005d1fa sub_5D1FA
0005d22d sub_5D22D
0005d280 sub_5D280
0005d2d1 sub_5D2D1
0005d338 sub_5D338
0005d375 sub_5D375
0005d686 sub_5D686
0005d6b2 sub_5D6B2
0005d6ff sub_5D6FF
0005d749 sub_5D749
0005d7ed sub_5D7ED
0005d7f6 sub_5D7F6
0005d822 sub_5D822
0005d82b sub_5D82B
0005d851 sub_5D851
0005d85a sub_5D85A
0005d87f sub_5D87F
0005d888 sub_5D888
0005d8a7 sub_5D8A7
————————————————————-
unmatched functions2: 1
0004071f sub_4071F
————————————————————-
changed functions: 5
[.] 0002b782 sub_2B782 – [.] 00027d82 sub_27D82
[.] 0003cbc9 sub_3CBC9 – [.] 000391b1 sub_391B1
[.] 0003d0f3 sub_3D0F3 – [.] 000396cf sub_396CF
[.] 0003d7d3 sub_3D7D3 – [.] 00039ccf sub_39CCF
[.] 0004f9c9 sub_4F9C9 – [.] 0004be7f sub_4BE7F
————————————————————-
————————————————————-
I am working on narrowing down the NTLM Entropy changes in hopes that I can create an unauthenticated remote check. The rest of the bugs in MS10-012 require authentication and appear to be cause by improperly parsing unicode file names strings with wildcards…
Of course there are were a ton of matched functions between the two files, I’ve included the:
14 Matched Functions ~ These are functions that have probably changed
53 unmatched functions ~ These are new functions in the updated srv.sys
5 changed functions ~ The number of basic blocks in this function has changed suggesting a significant change.
Here is what the TurboDiff results window looks like:
Choosing a function will bring up two function call graphs. We’re most concerend about red blocks but don’t let the tricker bugs to spot slip past!
Here is a side by side shot showing the changed code:
When we take a closer look at this code however we can see its a false positive:
Previous 
Next 
Categories
Tag Cloud
Blog RSS
Comments RSS
Last 50 Posts
Back
Void 
Life 
Earth 
Wind 
Water 
Fire