Published in The Register newsletter: _____________________________________ Hackers have created an exploit for the latest critical flaw in Microsoft Windows just days after the vulnerability made headlines worldwide. The flaw involves a vulnerability in Microsoft's Abstract Syntax Notation 1 (ASN.1) library which could be applied to seize control of vulnerable systems. Windows 2000/XP/2003 are all affected by the vulnerability, which was discovered by security researchers at eEye six months ago. Last week, security vendors advised there was no known exploit for the vulnerability. That view needs to be revised following the publication of an exploit by 23 year-old white hat hacker Christophe Devine on a full disclosure mailing list over the weekend. Vulnerable systems could only be crashed - and not taken over - using the attack code. Nonetheless the threat level has gone up an extra notch. Thomas Kristensen, CTO of security Web site Secunia, said "this exploit only causes a Denial of Service, it is still believed that a system compromise is possible"

ASN.1 is similar to XML, only much older. It is used in the application layer of TCP/IP (Microsoft Netmeeting, SNMP, SSL, and Windows Local Security Authority Server Process [lsass.exe] use ASN.1). It comes in several binary encodings, which were designed to save space but also make the format more complicated. It's difficult to turn this into an exploit where malicious code can be run. The exploit (or bug) basically overflows the heap data structure (used for dynamic memory allocation, like when a program loads the code it needs at runtime), where data is not assigned according to stack operations (as a classic buffer overflow illustrates). The order of data in the heap is somewhat random and not in continuous blocks. But, in a given executable format (in this case a Win32 Portable Executable), there is a special address where the same data is always stored. This memory address contains the IMAGE_ IMPORT _DESCRIPTOR, which refers to two arrays. Those two arrays can contain function calls to any function in the executable binary (usually Win32 API). If one can overwrite the heap and specifically these two addresses with the proper value, the code can call any function it pleases.