Bugtraq mailing list archives
Re: WinNT syscalls insecurity
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Sun, 19 Oct 1997 14:24:19 -0400
At 04:02 AM 10/19/97 -0300, Solar Designer wrote: [snip interesting stuff]
This makes me think many syscalls won't process invalid parameters correctly (that is, just set NT status and exit). Some will likely crash the system. I suspect a program doing random syscalls with random parameters would crash the system quite fast, should try some day. ;^)
This is exactly what ntcrash by Russinovich (and the other guy whose name escapes me at the moment) did about a year ago. They fixed most of this in SP1 or SP2.
Here goes the NtCreateProcess exploit, compile with Cygwin32, the GCC port:
What patch level have you tested this under? Your results can very well vary depending on whether SP3+getadmin fixes were applied. Costin Rau (sp?) found a number of NtXXX calls which caused crashes if they were fed a 0xFFFFFFFF pointer, and all of these were fixed by the second attempt at the getadmin patch. Costin did a fairly extensive job of checking back in July. If you conducted this under an unpatched version of NT, then you may want to apply latest patches and look again. If you were at full patches, it looks to me like they have a few more to clean up. BTW, self-inflicted denial of service attacks aren't at the top of my list of evils. OTOH, if you were to find a way to set the NtGlobalFlag again, now _that_ would be interesting. David LeBlanc |Why would you want to have your desktop user, dleblanc () mindspring com |your mere mortals, messing around with a 32-bit |minicomputer-class computing environment? |Scott McNealy
Current thread:
- Re: WinNT syscalls insecurity Bst Perez Companc (Oct 19)
- <Possible follow-ups>
- Re: WinNT syscalls insecurity David LeBlanc (Oct 19)
- SNI-19: BSD lpd vulnerabilities (UPDATE) Secure Networks Inc. (Oct 21)
- Re: WinNT syscalls insecurity Solar Designer (Oct 21)
- SNI-20: Telnetd tgetent vulnerability Secure Networks Inc. (Oct 21)
- Re: SNI-20: Telnetd tgetent vulnerability Theo de Raadt (Oct 21)
- Majordomo and EXPN James Ponder (Oct 22)
- Re: remotely kill solaris syslogd Jason R Mastaler (Oct 21)