Bugtraq mailing list archives
IRIS 1.01 "BETA" ISSUE
From: Ussr Labs <labs () USSRBACK COM>
Date: Fri, 1 Sep 2000 03:20:56 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IRIS 1.01 "BETA" ISSUE I want to clear up a few comments about USSR Advisory #52. One regarding the DoS against Iris 1.01 "BETA", and the other regarding "in this case Eeye" First: The bug which we found in Iris 1.01 was tested with more than 3 machines in our lab, including other machines outside our lab. Each target machine was a PII with 64mb, 10mb network, with service pack 6a. The first time I noticed the problem was when I was flooding a target machine on the network and realized that Iris was acting rather perculier until it crashed. After flooding the target machine on the local network with random protocols and ports, I had isolated the problem. As I looked into it, I noticed that one of the 13 threads that Iris spawned was getting an invalid memory direction in the paint, or possibly the refresh function. The problem doesn't lie with Windows' refresh function, rather with the poor code of Iris 1.01. Maybe Eeye thinks that stability is less important than updating the screen in realtime. Some people have said that if one floods any bound port on said target setup, that the CPU will be at %100 utilization. I beg to differ. Why doesn't someone go ahead and flood IIS 5.0's web server with random urls, and tell me if their load gets close to %100? If anyone has actually attempted this, they will realize that the utilization goes no higher than about %20. (Local network with more than 200 simultaneous connections.) The problem lies not with the Windows NT code, rather with the poor code of Eeye. Poor enough to allow us to write an advisory like the Iris 1.01 DoS. Here is another example of the poor code of Iris: When you open up the Iris, it writes out a file called "settings.html", and upon closure, it deletes the file. So far so good, however if one creates a "settings.html" and sets it to be readonly, the program refuses to load. Only until the removal of this file will Iris begin to load properly. This is a poor example, but it shows the laziness of coding involved. Second: Regarding the beta thing, I can understand selling a product which is in a beta release, but selling an unstable product for $550 seems outrageous. How long has this product even been on the market? A month? Maybe even 3? Very few vendors release software using the title "beta" simply becuase they know their products are unstable or have bugs. In this case the vendor should be VERY clear and say that their product is INDEED A BETA. A beta which is unstable. Final note: I still wonder why people/vendors feel that finding a bug in their product is such a bad thing. Finding a bug and reporting it is beneficial to the vendor, allowing a chance for a stronger product. Extra special thanks to Evan Brewer. <dm () el8 org> Thanks for listening. Luciano Martins Ussr u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOa9Kx63JcbWNj6DDEQJ5SACg7sF7bk5z0m5l0ffhMljX5IMzUDcAnj/u 8PYLuR+3OLZypLcdI46LSIn7 =3sgx -----END PGP SIGNATURE-----
Current thread:
- IRIS 1.01 "BETA" ISSUE Ussr Labs (Sep 01)