[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000801c3f568$33e67110$0505a8c0@Slawek>
Date: Tue, 17 Feb 2004 16:10:39 +0100
From: "Slawek" <sgp@...satgp.com.pl>
To: "John Compton" <john_compton24@...oo.com>,
<bugtraq@...urityfocus.com>
Subject: Re: Misinformation in Security Advisories (ASN.1)
Hello!
In message to <bugtraq@...urityfocus.com> sent Mon, 16 Feb 2004
09:47:28 -0800 (PST) you wrote:
JC> First of all, there is good news for those of you out
JC> there who are worried about the new ASN.1
JC> vulnerability in Microsoft operating systems. It is
JC> NOT exploitable to run arbitrary code in anything
JC> approaching a real-world scenario.
[...]
JC> The ASN.1 vulnerabilities discovered by Eeye (there
JC> were several very similar ones) resulted in a memcpy
JC> of 4GB less a few bytes (0xFFFFFFFX) bytes to the
JC> process heap. This will quickly corrupt the entire
JC> heap and hit a guard page or unpaged address and cause
JC> an unhandled exception. When this unhandled exception
JC> occurs, application and then OS exception handlers
JC> will be called in order to attempt to deal with the
JC> protection fault.
JC> These exception handlers, in virtually every Microsoft
JC> application, do NOT use the heap since it is not
JC> guaranteed to be in a consistent state. This rules out
JC> the possibility of simply causing an exception and
JC> having the exception handlers traverse the heap and
JC> cause an arbitrary memory overwrite leading to code
JC> execution.
[...]
JC> The result, quite honestly, is a non-exploitable
JC> condition. This issue is limited in scope to a denial
JC> of service vulnerability.
Well... ok... let's think about it for a while...
It's easy to realise that one occurence of construct like this:
try {
... vulnerable code here ...
}
catch {
// free allocated memory or so
return false; // this function should never throw exceptions
}
Only *one* occurence is enough to make the bug exploitable.
Yes, I know code like this should *never* be used, but it's already widely
known that such constructs can be found even in .NET Framework code which
was meant to be secure from the first day.
--
Slawomir Piotrowski
Powered by blists - more mailing lists