Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [News] Another Crease - Stack Overflow in Vista Found

  • Subject: Re: [News] Another Crease - Stack Overflow in Vista Found
  • From: OK <otto@xxxxxxxxx>
  • Date: Wed, 18 Oct 2006 13:38:54 +0200
  • Newsgroups: comp.os.linux.advocacy
  • References: <1161120149.355974.249900@b28g2000cwb.googlegroups.com>
  • Xref: news.mcc.ac.uk comp.os.linux.advocacy:1171164
On 17 Oct 2006 14:22:29 -0700, "Roy Schestowitz"
<newsgroups@xxxxxxxxxxxxxxx> wrote:

>http://sysdream.com/articles/Stack%20overflow%20on%20Windows%20Vista.pdf
>
>        (PDF warning)
>
>It is only one among many flaws that have already been
>spotted in what is supposedly "the most secure O/S ever".
>Some flaws were more severe.

What Vista "flaw" are you talking about? The authos merely succeded in
compromising it's own program, which was deliberatly written to be
compromisable in the first place.

What's the deal?

Next, let's look at his code, and see what the Microsoft compiler has
to say about it:

#include "stdafx.h"
#include <string.h>

void vuln(char * temp);

int main(int argc, char* argv[])
{
    if(argc>1)
    {
        vuln(argv[1]);
        return 0;
    }
}

void vuln(char *temp)
{
    char buf[500];
    strcpy(buf,temp);
}

Compiled with the default options:

warning C4996: 'strcpy': This function or variable may be unsafe.
Consider using strcpy_s instead. To disable deprecation, use
_CRT_SECURE_NO_WARNINGS. See online help for details. c:\...\vuln.cpp
18

Next, let's turn on the code analyzer:

warning C6204: Possible buffer overrun in call to 'strcpy': use of
unchecked parameter 'temp'	c:\...\vuln.cpp	18

Uh, oh. So here are the rules of the game:

1) Write a naive program with a blatant flaw.
2) Turn off warnings, code analysis and ignore everything the compiler
says about your sloppy code.
3) Exploit the flaw you purposedly coded-in in the first place
4) Claim it's an OS flaw

Did I miss something?

Oh, I know, Vista is supposed to make those attacks less likely to
succeed and maybe should have magically caught the programming error,
but does how Linux copes with the above code?


[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index