Bugtraq mailing list archives
Re: xlock mishandles malformed .signature/.plan
From: tschweik () FIDUCIA DE (tschweik () FIDUCIA DE)
Date: Wed, 11 Nov 1998 09:48:08 +0100
Jochen Thomas Bauer wrote: [...]
there may be some more "scenarios", depending on the
architecture/compiler/options
combination used to compile xlock, so the question is if there is any combination of architecture/compiler/options that will produce code that contains a security hole.
[...] I have found two compilers generating security holes this way: - Microwerks CodeWarrior for Macintosh - ORCA/C for GS/OS (Apple IIgs) - various microcontroller compilers CodeWarrior generates, with optimizations enabled, a program that simply crashes, while overwriting a byte of program stack. ORCA/C isn't capable of handling negative indexes. There might be some more compilers out there not able handling negative indexes (I pointed this out to the list, but my mail didn't get trough): ANSI-C doesn't tell how a compiler has to handle negative indexes. They may be handled as you expect, -1 is one less than the pointer or they may be handled like pointer + max. unsigned int which turns out to be pointer + 65535. In reality this depends on the capabilities of your hardware. If indexing is possible with one byte it is pointer + 255. If four byte it is pointer + (2^32)-1. The byte really accessed depends on how wide your address bus is. If index-with and address-bus-width match nothing will be wrong. If not (index size is smaller) pray! On some CPU this might be more complex as described here, depending on CPU mode. Wraparound may occur at segment boundaries or similar odd things...! ORCA/C will therefor overwrite a byte offset 65535 bytes from pointer. In most cases this doesn't have any immediate effect, but some time later (you might have the malicious program finished already) the system crashes. Most Microcontroller C-Compilers allocate string space not directly on stack. They allocate memory leaving only a pointer to it on stack, cause of low stack space. Some of these Compilers may fiddle with negative indexes correctly (as one would expect), some don't, some generate runtime errors instead. All possible to, at least, DoS attacks. -- Thomas Schweikle <tschweik () fiducia de> PS.: ORCA/C was once built for the Apple IIgs operating system GS/OS. Does anyone fiddle with it anymore? Maybe using GNO/ME environment with it?
Current thread:
- Re: xlock mishandles malformed .signature/.plan Jochen Thomas Bauer (Nov 06)
- Re: xlock mishandles malformed .signature/.plan Aaron Campbell (Nov 07)
- shadow problems. twiztah (Nov 08)
- tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 08)
- Re: tcpd -DPARANOID doesn't work, and never did Warner Losh (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Peter Wemm (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Warner Losh (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Chip Christian (Nov 10)
- <Possible follow-ups>
- Re: xlock mishandles malformed .signature/.plan tschweik () FIDUCIA DE (Nov 09)
- Re: xlock mishandles malformed .signature/.plan tschweik () FIDUCIA DE (Nov 11)