lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43FB1967D03EC7449A77FA91322E3648144062@SVL1XCHCLUPIN02.enterprise.veritas.com>
Date: Fri Jan 13 23:15:48 2006
From: pferrie at symantec.com (Peter Ferrie)
Subject: Steve Gibson smokes crack?

[snip]
>does any know the circumstances, in all cases, where the bug is
>triggered or is there only speculation based upon exploit code
>"working" against a given vulnerable implementation of the API?

The triggering mechanism is well-understood: this incorrect record
length requirement is simply wrong.  There is no "magic key".
It is possible to create entirely well-formed files that will
execute.  I don't know why Steve couldn't get it working properly,
and I'd like to know just how he managed to get it working at all
on Windows 2000 (see below).  So, what we have is this:
 
The file must not begin with the placeable (aka Aldus) meta file
header.  If it does begin with that, then the function is ignored,
and Windows continues to parse the file.
This is why Windows 9x, NT, and 2000, do not execute anything from
within Internet Explorer, for example - they do not support WMF
files without the Aldus header. 
 
The record must be reachable.  It will not execute if the EOF
record (function number 00) is seen first.
 
That's all.  To clarify some other things:
 
The record length can be any value at all, as long as it remains
within the bounds of the file.  Before executing any record,
Windows checks that the next record is accessible.
 
The file does not have to end with the EOF record, but there must
be one in the file.
 
The smallest metafile is 18 bytes.  That's the header only.
The smallest parsable metafile is 24 bytes (EOF record only).
The smallest SetAbortProc file for Windows XP is 62 bytes.
 
8^) p.
 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ