lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1237488293.20080503121849@gmail.com>
Date: Sat, 3 May 2008 12:18:49 +0400
From: kris kaspersky <poldhiir@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: # a new bug in Olly

Hello full-disclosure!

I've found a bug in Olly leading to crash SEH/VEH-based programs
during tracing. (an example-pack could be found at my web-site
http://nezumi.org.ru/olly-bug-776.zip, it includes two SEH/VEH
programs and requests XP or latter to run VEH, while SEH works
everywhere).

Load an example into Olly and start tracing [F7]
/* we can skip the first call by pressing [F8]
(Step Over), since it has nothing interesting for us */

xor eax,eax/mov eax,[eax] generates an exceptions,
catching by OS kernel. the kernel saves registry context
(including TF-bit, set by Olly to "1") and passes control
to NTDLL.DLL!KiUserExceptionDispatcher function -
the first user-land function executes after an exception.
it calls SEH/VEH handler (if there is at lest one).

if the handler returns control to the code, where the exception
was raised, registry context (including TF-bit) is restored by
OS kernel. everything is fine, yes? hell, no!!!

Olly catches NTDLL.DLL!KiUserExceptionDispatcher and offers us
to press Shift-F7/F8/F9. Olly allows to trace  KiUserExceptionDispatcher, but totally forgets to clean TF-bit.
as result - when control is passed the to original code
(to the command follows mov eax,[eax] in our case, since handler
adds 2bytes /* sizeof mov eax,[eax] */ to EIP), TF-bit is set!!!
so, a new exception occurs and SEH/VEH handler is called again
and over again, coz, Olly passes this exception to the program,
coz it forgets who "owns" this exception!!!

since, SEH/VEH handler doesn't expect to handle trace exaction,
we have an undefined behavior (a crash).

it's definitely a bug!!! and how we can to fix it?!
well, it's very simple. look at the prototype of
KiUserExceptionDispatcher(EXCPT_REC *pExcptRec, CONTEXT *pContext).
everything we need - is just to take pContext and clear
TF-bit manually.
pContext is the next DWORD on the stack and EFlags has C0h offset,
while TF-bit is the first bit of the next word (1 << 8).
just clean it and enjoy! press [F9] to Run the program or
do whatever you want!

of course, we can create plug-in, doing it automatically,
or set-up a conditional breakpoint on KiUserExceptionDispatcher.

I've checked the latest 2.00e version [April 19, 2008] and...
the bug is still there, damn it!

I reported about this bug to the Olly creator and he admitted it,
writing me back:

# Dear Kris Kaspersky,
# thank you for your bug report.
# I will try to remove it from v2.0 ASAP.
# Sincerely, Olly


-- 
Best regards,
 kris                          mailto:poldhiir@...il.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ