| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 3 May 2008 12:18:49 +0400 From: kris kaspersky <poldhiir@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: # a new bug in Olly Hello full-disclosure! I've found a bug in Olly leading to crash SEH/VEH-based programs during tracing. (an example-pack could be found at my web-site http://nezumi.org.ru/olly-bug-776.zip, it includes two SEH/VEH programs and requests XP or latter to run VEH, while SEH works everywhere). Load an example into Olly and start tracing [F7] /* we can skip the first call by pressing [F8] (Step Over), since it has nothing interesting for us */ xor eax,eax/mov eax,[eax] generates an exceptions, catching by OS kernel. the kernel saves registry context (including TF-bit, set by Olly to "1") and passes control to NTDLL.DLL!KiUserExceptionDispatcher function - the first user-land function executes after an exception. it calls SEH/VEH handler (if there is at lest one). if the handler returns control to the code, where the exception was raised, registry context (including TF-bit) is restored by OS kernel. everything is fine, yes? hell, no!!! Olly catches NTDLL.DLL!KiUserExceptionDispatcher and offers us to press Shift-F7/F8/F9. Olly allows to trace KiUserExceptionDispatcher, but totally forgets to clean TF-bit. as result - when control is passed the to original code (to the command follows mov eax,[eax] in our case, since handler adds 2bytes /* sizeof mov eax,[eax] */ to EIP), TF-bit is set!!! so, a new exception occurs and SEH/VEH handler is called again and over again, coz, Olly passes this exception to the program, coz it forgets who "owns" this exception!!! since, SEH/VEH handler doesn't expect to handle trace exaction, we have an undefined behavior (a crash). it's definitely a bug!!! and how we can to fix it?! well, it's very simple. look at the prototype of KiUserExceptionDispatcher(EXCPT_REC *pExcptRec, CONTEXT *pContext). everything we need - is just to take pContext and clear TF-bit manually. pContext is the next DWORD on the stack and EFlags has C0h offset, while TF-bit is the first bit of the next word (1 << 8). just clean it and enjoy! press [F9] to Run the program or do whatever you want! of course, we can create plug-in, doing it automatically, or set-up a conditional breakpoint on KiUserExceptionDispatcher. I've checked the latest 2.00e version [April 19, 2008] and... the bug is still there, damn it! I reported about this bug to the Olly creator and he admitted it, writing me back: # Dear Kris Kaspersky, # thank you for your bug report. # I will try to remove it from v2.0 ASAP. # Sincerely, Olly -- Best regards, kris mailto:poldhiir@...il.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists