Re: Misinformation in Security Advisories (ASN.1)

From: Slawek (sgp_at_telsatgp.com.pl)
Date: 02/17/04

  • Next message: Darren Tucker: "Re: AIX password enumeration possible"
    To: "John Compton" <john_compton24@yahoo.com>, <bugtraq@securityfocus.com>
    Date: Tue, 17 Feb 2004 16:10:39 +0100
    
    

    Hello!
    In message to <bugtraq@securityfocus.com> sent Mon, 16 Feb 2004
    09:47:28 -0800 (PST) you wrote:

     JC> First of all, there is good news for those of you out
     JC> there who are worried about the new ASN.1
     JC> vulnerability in Microsoft operating systems. It is
     JC> NOT exploitable to run arbitrary code in anything
     JC> approaching a real-world scenario.
    [...]
     JC> The ASN.1 vulnerabilities discovered by Eeye (there
     JC> were several very similar ones) resulted in a memcpy
     JC> of 4GB less a few bytes (0xFFFFFFFX) bytes to the
     JC> process heap. This will quickly corrupt the entire
     JC> heap and hit a guard page or unpaged address and cause
     JC> an unhandled exception. When this unhandled exception
     JC> occurs, application and then OS exception handlers
     JC> will be called in order to attempt to deal with the
     JC> protection fault.

     JC> These exception handlers, in virtually every Microsoft
     JC> application, do NOT use the heap since it is not
     JC> guaranteed to be in a consistent state. This rules out
     JC> the possibility of simply causing an exception and
     JC> having the exception handlers traverse the heap and
     JC> cause an arbitrary memory overwrite leading to code
     JC> execution.
    [...]
     JC> The result, quite honestly, is a non-exploitable
     JC> condition. This issue is limited in scope to a denial
     JC> of service vulnerability.

    Well... ok... let's think about it for a while...

    It's easy to realise that one occurence of construct like this:

    try {
        ... vulnerable code here ...
    }
    catch {
        // free allocated memory or so
        return false; // this function should never throw exceptions
    }

    Only *one* occurence is enough to make the bug exploitable.

    Yes, I know code like this should *never* be used, but it's already widely
    known that such constructs can be found even in .NET Framework code which
    was meant to be secure from the first day.

    -- 
    Slawomir Piotrowski
    

  • Next message: Darren Tucker: "Re: AIX password enumeration possible"

    Relevant Pages