re: RunAs weirdness...

From: KRFinisterre@checkfree.com
Date: 12/18/01 

To: vuln-dev@security-focus.com
From: KRFinisterre@checkfree.com
Date: Tue, 18 Dec 2001 13:12:21 -0500

I tested the runas issue that was recently posted on my Win2k build
5.00.2195 box. The result was similar to jesperht@hotmail.com's results
however I was able to see some of my data on the stack... from within
cygwin
I did Administrator@TERMSRV ~
$ runas /user:administrator
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

I noticed if you use too many chars that your data is no longer on the
stack at the point where it crashed... it refrences some other
point in memory.

The above string generated an error that stated:

The instruction at "0x77fc90cd" refrenced memory at "0x00420042". The
memory could not be "written"
Click on OK to terminate the program
Click CANCEL to debug the program.

The reason half of my string is A's and the other half is B's is because I
wanted to make sure that it was indeed my data
on the stack. If the string is all A's by them selves then the error is as
follows.

The instruction at "0x77fc90cd" refrenced memory at "0x00410041". The
memory could not be "written"
Click on OK to terminate the program
Click CANCEL to debug the program.

If you feed it too many A's you get the error
The instruction at "0x77dd7ef6" refrenced memory at "0x00078000". The
memory could not be "written"
Click on OK to terminate the program

and no option to debug.

If I remember correctly the .ida and .idq overflows on IIS left a similar
address on the stack with nulls in it like 0x00410041
and the fellas at eEye busted out some ninja technique to exploit it
anyway.
-KF

Relevant Pages

  • Re: Problem only in release version!
    ... Debug version may still have the problem, but the stack space is better ... memory or a buffer on the stack is not always caught. ... > Just to affirm Jochen's point, the Debug version initializes most ...
    (microsoft.public.dotnet.languages.vc)
  • Re: If Macs have no spyware....
    ... >had made a complete code review of its operating system and removed all ... and writing new data into those memory locations would ... >but when the data exists on the stack, it can cause very large problems. ... >location that needs to be written in place of the correct execution ...
    (comp.sys.mac.advocacy)
  • Re: If Macs have no spyware....
    ... First you yammer about being a Mac advocate, then bad mouth me for dumping XP in favor of a Mac. ... Supposedly Microsoft had made a complete code review of its operating system and removed all the buffers which could overflow. ... the fundamental problem is that the basic architecture of Windows has two fatal flaws in its memory management and while these remain in the software the ad hoc patches will never be enough to make Windows a secure operating system. ... These problems are bad enough when dealing with data in the one routine but when the data exists on the stack, it can cause very large problems. ...
    (comp.sys.mac.advocacy)
  • Re: Maybe we should stop "Paging Beth Stone" already...
    ... I'll want to work on my OS while running my OS, so the assembler that it's written with has to run under it. ... You have to swap CR3 if you want seperate memory spaces. ... The alternate stacks aren't used by the processor unless the task calls a different protection level, so they're not part of the TSS swap. ... This lets any application use up to a gigabyte of stack before Linux is forced to tell it that it's gone too far. ...
    (alt.lang.asm)
  • Re: When is "volatile" used instead of "lock" ?
    ... to get the address of a stack variable to a background thread. ... I'm suggesting that the memory model ... lock pattern works without making the instance member volatile; ... fields shared amongst more than one thread despite following the locking ...
    (microsoft.public.dotnet.languages.csharp)
Quantcast