RE: security enforcement - new monitor for winnt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

exploitable buffer overflow when attacker can supply arbitrary data to CreateFileW.

thanks for pointing it out. 

i'll fix it and make winblox open-source later tonight(many other guys suggested me to do this
also).

you can surely find more when you have source code. please publish all of them - we must fix all
asap, before operational uses.

best wishes,

die

--- Oliver Lavery <olavery@pivx.com> wrote:
> 
> 	Liu Die Yu, are you sure you don't want to be calling _snprintf
> here? ;) And since CreateFileW can be called with a 32,767 byte file name,
> I'm not sure what'll happen when you stuff it into a 200 byte buffer when
> it's converted to multi-byte... Call me crazy, but I'd be a little hesitant
> to run this in a production environment (even though it's at version 6.0)
> 
> 	Microsoft doesn't have a monopoly on buggy code with B0fs in it. ;)
> 
> 	This is a good idea though, hooking is neat. I'm not so sure I'd say
> it's unprecedented. Using AppInit_DLLs to load a hook DLL is a pretty common
> trick. Still, a nice hack.
> 
> .text:10001AEB ; int __stdcall My_CreateFileW(LPCWSTR
> lpWideCharStr,int,int,int,int,int,int)
> .text:10001AEB                 public My_CreateFileW
> .text:10001AEB My_CreateFileW  proc near               ; DATA XREF:
> DllMain(x,x,x)+47o
> .text:10001AEB                                         ; DllMain(x,x,x)+75o
> .text:10001AEB 
> .text:10001AEB var_CD0         = byte ptr -0CD0h
> .text:10001AEB var_8D0         = dword ptr -8D0h
> .text:10001AEB var_8CC         = dword ptr -8CCh
> .text:10001AEB MultiByteStr    = byte ptr -8C8h
> .text:10001AEB Text            = byte ptr -800h
> .text:10001AEB lpWideCharStr   = dword ptr  8
> .text:10001AEB arg_4           = dword ptr  0Ch
> .text:10001AEB arg_8           = dword ptr  10h
> .text:10001AEB arg_C           = dword ptr  14h
> .text:10001AEB arg_10          = dword ptr  18h
> .text:10001AEB arg_14          = dword ptr  1Ch
> .text:10001AEB arg_18          = dword ptr  20h
> .text:10001AEB 
> .text:10001AEB                 push    ebp
> .text:10001AEC                 mov     ebp, esp
> .text:10001AEE                 sub     esp, 0CD0h
> .text:10001AF4                 mov     [ebp+var_8D0], 0
> .text:10001AFE                 call    sub_100012EF    ; _reg
> .text:10001B03                 test    eax, eax
> .text:10001B05                 jnz     loc_10001C42
> .text:10001B0B                 lea     eax, [ebp+var_CD0]
> .text:10001B11                 push    eax
> .text:10001B12                 mov     ecx, [ebp+arg_4]
> .text:10001B15                 push    ecx
> .text:10001B16                 call    sub_10001383
> .text:10001B1B                 push    0               ; lpUsedDefaultChar
> .text:10001B1D                 push    0               ; lpDefaultChar
> .text:10001B1F                 push    0C8h            ; cchMultiByte
> .text:10001B24                 lea     edx, [ebp+MultiByteStr]
> .text:10001B2A                 push    edx             ; lpMultiByteStr
> .text:10001B2B                 push    0FFFFFFFFh      ; cchWideChar
> .text:10001B2D                 mov     eax, [ebp+lpWideCharStr]
> .text:10001B30                 push    eax             ; lpWideCharStr
> .text:10001B31                 push    0               ; dwFlags
> .text:10001B33                 push    0               ; CodePage
> .text:10001B35                 call    ds:WideCharToMultiByte
> .text:10001B3B                 mov     [ebp+Text], 0
> .text:10001B42                 lea     ecx, [ebp+MultiByteStr]
> .text:10001B48                 push    ecx
> .text:10001B49                 lea     edx, [ebp+var_CD0]
> .text:10001B4F                 push    edx
> .text:10001B50                 call    ds:GetCommandLineA
> .text:10001B56                 push    eax
> .text:10001B57                 call    sub_100010C9
> .text:10001B5C                 push    eax
> .text:10001B5D                 push    offset aCreatefileSSSS ;
> "CreateFile:%s > %s ==> %s --> %s"
> .text:10001B62                 lea     eax, [ebp+Text]
> .text:10001B68                 push    eax
> .text:10001B69                 call    _sprintf
> .text:10001B6E                 add     esp, 18h
> .text:10001B71                 mov     [ebp+var_8D0], 0
> .text:10001B7B                 jmp     short loc_10001B8C
> 
> Cheers,
> ~x
> 
> 
> > -----Original Message-----
> > From: Liu Die Yu [mailto:liudieyuinchina@yahoo.com.cn] 
> > Sent: March 29, 2004 11:35 PM
> > To: bugtraq@securityfocus.com
> > Subject: security enforcement - new monitor for winnt
> > 
> > 
> > 
> > 
> > i want to stop ie:
> > 
> > writing EXE/CAB/LNK ... files,
> > 
> > calling MSHTA.EXE to parse remote web pages,
> > 
> > accessing files outside "favorites" and cache("content.ie5").
> > 
> > 
> > 
> > i want to stop WSCRIPT.EXE from parsing files inside TEMP and cache.
> > 
> > 
> > 
> > i want to stop the system running executable files located in 
> > TEMP and cache.
> > 
> > 
> > 
> > afaik, i can stop ie 0day exploits by doing these things.
> > 
> > 
> > 
> > so, i made this:
> > 
> http://umbrella.name/winblox/
> 
> of course, free. and you can define your own rules easily(assuming you guys
> know a bit about regular expression).
> 
> 
> 
> it's totally a new idea(afaik). so, not for operational uses. 
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
>  
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
>  
> 


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux