Comments on: Hotpatching MS08-067

By: Yuhong Bao

Yuhong Bao — Tue, 09 Feb 2010 02:30:23 +0000

.text:000007FF7738E5D6 mov rcx, 0FFFFFFFFFFFFFFFFh
.text:000007FF7738E5E0 mov rdi, r8
.text:000007FF7738E5E3 repne scasw

BTW, 65nm Core 2 has errata relating to executing REP SCAS/CMPS with values exceeding 0×100000000. Luckily, it is mentioned that Intel has a microcode update to fix this, which would be essential since it is code generated by a common compiler.

By: Microsoft Releasing Out-of-Band Security Patch « ThreatFire Research Blog

Microsoft Releasing Out-of-Band Security Patch « ThreatFire Research Blog — Tue, 27 Oct 2009 21:24:52 +0000

[...] in mind that the update requires a reboot.For all you hardcore hax0rs, Skywing has put together a detailed post on using the AT service and hiew to to inject the updated code into svchost.exe and manually hot [...]

By: Wireless hack,Wifi hack & security » Blog Archive » Microsoft Hotpatching MS08-067

Sun, 05 Jul 2009 10:41:05 +0000

[...] reverse engineering most present-day Microsoft security patches is not particularly insurmountable. In detail Posted in Security | Leave a [...]

By: Conficker/Downadup worm strikes | Byte Bites

Conficker/Downadup worm strikes | Byte Bites — Fri, 16 Jan 2009 05:17:34 +0000

[...] Conficker worm� (W32/Confick-A, W32/Confick-B, W32/Confick-C, W32/Confick-D), aka Downadup (W32.Downadup, W32.Downadup.B)� is� going around and is capable of spreading� very fast on Windows XP/Vista machines. This worm exploits1 a remote code execution vulnerability in the Server service responsible for file/printer sharing functionalities. The vulnerability is apparently because of a buffer overrun bug in netapi32.dll call NetpwPathCanonicalize. [...]

By: Hacker Coder

Hacker Coder — Wed, 17 Dec 2008 14:35:45 +0000

Is the bug exist in Windows Server 2008?

By: nvedala

nvedala — Wed, 10 Dec 2008 05:00:43 +0000

Skywing, here is first ever humor book for debugging folks. Available for order on Amazon. I’ve been following your blog for quite long and so in one of the cartoons I’ve included you :) Hope you don’t mind :p

http://www.amazon.com/gp/product/1906717257?ie=UTF8&tag=idebug_in_windbg-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=1906717257

By: Kurt Baumgartner

Kurt Baumgartner — Wed, 03 Dec 2008 01:37:01 +0000

Awesome post. No need to push off BinDiff because of price…

“For all you hardcore hax0rs, Skywing has put together a detailed post on using the AT service and hiew to to inject the updated code into svchost.exe and manually hot patch the running vulnerable service, avoiding a reboot. Fun reading, but not recommended.
In it he claims that he wasn’t able to use BinDiff to identify the patched code, but for those RE’s with a lack of funding, there is a limited trial version of v2.0 that worked great on netapi32 and helped id this problem as a stack overflow within a couple minutes of Microsoft’s patch release. You can see for yourself what a great tool Bindiff really is — google is your friend.”

http://blog.threatfire.com/2008/10/microsoft-is-releasing-out-of-cycle.html

By: Phil Fultz

Phil Fultz — Wed, 05 Nov 2008 04:53:24 +0000

You mentioned blocking inbound SMB on both TCP ports 139 and 445 “thus cutting off remote access to the srvsvc pipe, a prerequisite for exploiting the vulnerability”.

While your proposed remedy accomplishes the goal, I think it worthwhile to point out that the srvsvc pipe is not necessarily required to access the vulnerable function. Because of what appear to be well-known characteristics of Microsoft’s RPC implementation, srvsvc functionality is available over other RPC endpoints registered in-process. This is noteworthy because one endpoint is the BROWSER named pipe, which has a more permissive DACL than than the SRVSVC named pipe. As an example of the practical application of this, see the public Metasploit module that exploits this vulnerability.

By: The Mission Control Supreme Commander Blog - Eintrag-Details: Unfassbar...

The Mission Control Supreme Commander Blog - Eintrag-Details: Unfassbar... — Wed, 29 Oct 2008 11:49:17 +0000

[...] Unfassbar… [...]

By: nksingh

nksingh — Sun, 26 Oct 2008 09:35:12 +0000

I’m not sure why this one was not delivered as a hotpatch. AMD64 actually requires all functions to be hotpatchable. They must begin with an opcode bigger than two bytes (so sometimes you get a redundant REX prefix on pushreg instructions at the beginning of a function). Perhaps it takes too long to generate the hotpatch and test it properly relative to how quickly this bug was turned around from discovery to patch.