Results 1 to 3 of 3

Thread: Microsoft Advertisement: Security Flaw

  1. #1
    Senior Member
    Join Date
    Mar 2004

    Microsoft Advertisement: Security Flaw


    Recently, I stumbled upon an (new to me ) Microsoft advertisement:
    "This code snippet is an example of one type of error
    that some people believe is less likely to cause
    security risks. However, it can be just as dangerous
    as the more infamous buffer overrun."

    Do you spot the security flaw?

    (code snippet in the ad was taken from the "code secure"

    bool DoSomething(const char* server)
       unsigned char namelen = strlen(server) + 2;
       if(namelen < 255)
          char* UncName = malloc(namelen);
          if(UncName != 0)
             sprintf(UncName, "\\\\%s", server);
          //do more things here

    I have identified the flaw, hence I tried to exploit it ,
    for simplicity in a Windows XP SP1 environment. Unfortunately,
    I have failed so far.

    The techniques I have used are fairly well documented and
    available everywhere (in chronological order of official

    - Halvar Flake[2]: UEFA (Unhandled Filter Exception)
    - Halvar Flake[2]: TESO (Thread Environment Structure (=TEB))
    - Litchfield? [3]: PEB (Process Environment Block)
    - Litchfield? [3]: VEH (Vector Exception Handling)
    - Conov./Horo.[4]: LAT (LookAside Table)

    I am actually quite convinced that all these methods do fail,
    each for various reasons - except maybe UEFA: for some reason,
    an SE handler is used (TESO), completely overriding the UEF.
    I am not sure, where this is defined.

    E.g. I even tried to go as far as the following (making the
    "exploitation" extremely platform dependent): In the VEH approach,
    I tried to find a location "A" that refers to another location "B"
    where EBP+10 is called (FF 55 10), since at EBP+10 a reference to
    my code was given (to be loaded in EAX of course). While various
    of these locations "B" can be found, nowhere a location "A" referring
    to "B" could be detected (remember little-endian)

    And here are my questions:

    1. What else can you suggest me to try?
    2. I am wondering, whether the "security flaw" simply refers to
    the violation of "availability", but the conditions seem no to
    be met for a vulnerability, hence no exploitation possible?



    [1] http://msdn.microsoft.com/library/de...re01142004.asp
    [2] http://www.blackhat.com/presentation...e-winsec02.ppt
    [3] http://opensores.thebunker.net/pub/m...04-litchfield/
    [4] http://www.cybertech.net/~sh0ksh0k/heap
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  2. #2
    Is that an off-by-one when allocating memory.

  3. #3
    Senior Member
    Join Date
    Mar 2004

    Thanks for reviving this thread

    The security flaw[1] is a classical integer overflow, which leads
    to an heap overflow[2]: if strlen(server) is 254 or 255 the resulting
    namelen is 0 or 1 respectively.

    I tried to identify conditions which turn the security flaw into a
    vulnerability. I have not found such a combination (hence I was
    not able to write an exploit). But then, my knowledge is limited,
    hence the question still stays open: any other ways to proceed?

    Thanks & Cheers

    [1] http://www.sei.cmu.edu/pub/documents...df/05tn003.pdf , Section 1.1
    [2] http://www.securityfocus.com/infocus/1846, nice review and outlook
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts