|
-
December 31st, 2005, 01:18 AM
#1
Microsoft Advertisement: Security Flaw
Hi
Recently, I stumbled upon an (new to me  ) Microsoft advertisement:
"This code snippet is an example of one type of error
that some people believe is less likely to cause
security risks. However, it can be just as dangerous
as the more infamous buffer overrun."
Do you spot the security flaw?
(code snippet in the ad was taken from the "code secure"
article[1])
Code:
bool DoSomething(const char* server)
{
unsigned char namelen = strlen(server) + 2;
if(namelen < 255)
{
char* UncName = malloc(namelen);
if(UncName != 0)
sprintf(UncName, "\\\\%s", server);
//do more things here
}
...
}
I have identified the flaw, hence I tried to exploit it ,
for simplicity in a Windows XP SP1 environment. Unfortunately,
I have failed so far.
The techniques I have used are fairly well documented and
available everywhere (in chronological order of official
appearance):
- Halvar Flake[2]: UEFA (Unhandled Filter Exception)
- Halvar Flake[2]: TESO (Thread Environment Structure (=TEB))
- Litchfield? [3]: PEB (Process Environment Block)
- Litchfield? [3]: VEH (Vector Exception Handling)
- Conov./Horo.[4]: LAT (LookAside Table)
I am actually quite convinced that all these methods do fail,
each for various reasons - except maybe UEFA: for some reason,
an SE handler is used (TESO), completely overriding the UEF.
I am not sure, where this is defined.
E.g. I even tried to go as far as the following (making the
"exploitation" extremely platform dependent): In the VEH approach,
I tried to find a location "A" that refers to another location "B"
where EBP+10 is called (FF 55 10), since at EBP+10 a reference to
my code was given (to be loaded in EAX of course). While various
of these locations "B" can be found, nowhere a location "A" referring
to "B" could be detected (remember little-endian) 
And here are my questions:
1. What else can you suggest me to try?
2. I am wondering, whether the "security flaw" simply refers to
the violation of "availability", but the conditions seem no to
be met for a vulnerability, hence no exploitation possible?
Thanks.
Cheers
[1] http://msdn.microsoft.com/library/de...re01142004.asp
[2] http://www.blackhat.com/presentation...e-winsec02.ppt
[3] http://opensores.thebunker.net/pub/m...04-litchfield/
[4] http://www.cybertech.net/~sh0ksh0k/heap
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
June 2nd, 2006, 08:56 PM
#2
Is that an off-by-one when allocating memory.
-
June 3rd, 2006, 09:18 AM
#3
Hi
Thanks for reviving this thread
The security flaw[1] is a classical integer overflow, which leads
to an heap overflow[2]: if strlen(server) is 254 or 255 the resulting
namelen is 0 or 1 respectively.
I tried to identify conditions which turn the security flaw into a
vulnerability. I have not found such a combination (hence I was
not able to write an exploit). But then, my knowledge is limited,
hence the question still stays open: any other ways to proceed?
Thanks & Cheers
[1] http://www.sei.cmu.edu/pub/documents...df/05tn003.pdf , Section 1.1
[2] http://www.securityfocus.com/infocus/1846, nice review and outlook
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote