On 17 Oct 2006 14:22:29 -0700, "Roy Schestowitz"
<newsgroups@xxxxxxxxxxxxxxx> wrote:
>http://sysdream.com/articles/Stack%20overflow%20on%20Windows%20Vista.pdf
>
> (PDF warning)
>
>It is only one among many flaws that have already been
>spotted in what is supposedly "the most secure O/S ever".
>Some flaws were more severe.
What Vista "flaw" are you talking about? The authos merely succeded in
compromising it's own program, which was deliberatly written to be
compromisable in the first place.
What's the deal?
Next, let's look at his code, and see what the Microsoft compiler has
to say about it:
#include "stdafx.h"
#include <string.h>
void vuln(char * temp);
int main(int argc, char* argv[])
{
if(argc>1)
{
vuln(argv[1]);
return 0;
}
}
void vuln(char *temp)
{
char buf[500];
strcpy(buf,temp);
}
Compiled with the default options:
warning C4996: 'strcpy': This function or variable may be unsafe.
Consider using strcpy_s instead. To disable deprecation, use
_CRT_SECURE_NO_WARNINGS. See online help for details. c:\...\vuln.cpp
18
Next, let's turn on the code analyzer:
warning C6204: Possible buffer overrun in call to 'strcpy': use of
unchecked parameter 'temp' c:\...\vuln.cpp 18
Uh, oh. So here are the rules of the game:
1) Write a naive program with a blatant flaw.
2) Turn off warnings, code analysis and ignore everything the compiler
says about your sloppy code.
3) Exploit the flaw you purposedly coded-in in the first place
4) Claim it's an OS flaw
Did I miss something?
Oh, I know, Vista is supposed to make those attacks less likely to
succeed and maybe should have magically caught the programming error,
but does how Linux copes with the above code?
|
|
