Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Lcc-win32 infos diffusion

From: Auriemma Luigi <bugtest () sitoverde com>
Date: Fri, 2 Aug 2002 21:07:35 +0000

######################################################################

Application: Lcc-win32 (http://www.cs.virginia.edu/~lcc-win32/)
Version:     ALL and next too (bug ONLY on Win9x/Me, NOT other Windows
             version) (see Fix section for detail)
Bug:         Part of computer memory are inserted after the import
             table of the executables created with Lcc.
Risk:        Possible diffusion of personal informations. The parts of
             memory copied in the exe can be pieces of files, system
             and users informations and any other thing.
Author:      Auriemma Luigi (e-mail: bugtest () sitoverde com)

######################################################################


Sections:
1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy

----------------------------------------------------------------------

1) Introduction

Lcc is a really an excellent and very diffused free C compiler for
Win32.
It also contain a good IDE (Wedit) for create or continue projects
simply.
For example I use it for compile everything written in C and also for
the proof-of-concept programs in attachment to my advisories (eh eh
you can imagine my face when I have find this bug and I have thought
to all the code I have diffused before...).

----------------------------------------------------------------------

2) Bug

As I have said in the header of my advisory, the bug is reproduceable
ONLY on Windows 9x/Me.
When Lcc compile a source code it insert some bytes (overlay) after
the import table.
Normally these bytes could be all zeros, but is not so in Win9x/Me.

Then not all our executables will be filled with parts of memory and
this seems caused by the size of the resulted exe (not sure).
For example if in a source code that don't reproduce the bug we insert
or delete some lines of code, when we will recompile it we will see
that now it contain other bytes instead of the normal 0x00 bytes.

This is a simple example:

 example.c
-----------
#include <stdio.h>

int main(void) {
        printf("Lcc bug\n");
        return(0);
}
-----------

If we compile this little code we will see that after the import
table there are some bytes (just after CTRDLL.DLL and some '@') that
are different each time we compile it.

This means that we can found part of other files, part of the source
code or part of it in assembly, system and users infos, random pieces
of memory and other.

For example in some of my executables I have found a file with some
e-mail addresses of my friends, informations about my system and also
a piece of a bug report I have written some days before!

Take a look to example.exe compiled on my machine:

0000b30: 3040 0043 5254 444c 4c2e 444c 4c00 0014  0 ()  CRTDLL DLL...
0000b40: 3040 0014 3040 0014 3040 0014 3040 0014  0@..0@..0@..0@..
0000b50: 3040 003d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d  0@.=============
0000b60: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d  ================
0000b70: 3d3d 3d0a 4946 2045 5849 5354 206a 6574  ===.IF EXIST jet
0000b80: 7479 656e 762e 6261 7420 4341 4c4c 206a  tyenv.bat CALL j
0000b90: 6574 7479 656e 762e 6261 740a 0a72 656d  ettyenv.bat..rem
0000ba0: 203d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d   ===============
0000bb0: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d  ================
0000bc0: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d  ================
0000bd0: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 0a72 656d  ============.rem
0000be0: 203d 3d20 6368 6563 6b20 666f 7220 4a41   == check for JA
0000bf0: 5641 5f48 4f4d 4520 656e 7600 0000 0020  VA_HOME env....
0000c00: 0000 0000 0000 0020 0000 0000 1000 0000  ....... ........
0000c10: 1400 0000 2000 0000 2400 00              .... ...$..

The bytes after the last "0@." are exactly the same bytes of the file
jetty.bat, a batch file of a Java web-server!!!

----------------------------------------------------------------------

3) The Code

Watch the bytes after the import table of the executables compiled
with Lcc.

----------------------------------------------------------------------

4) Fix

The author of Lcc have said to me that this is a problem of the
operating systems that I have listed before because they don't clear
well the memory, so no official patch exist.

However it is very simple to erase this problem.
You can manually delete, overwrite or check this unuseful bytes or do
it automatically using utilities that strip Windows PE executables.

My choice is for FileScanner. This excellent free utility, that do a
lot of useful and interesting things, can also reduce the file size
and delete these unuseful and "anti-privacy" bytes.

The homepage of FS is http://smf.chat.ru/
You can download it directly from http://smf.chat.ru/files/fs.zip
So for fix your applications compiled with Lcc, you can simply use:

fs -se file.exe

----------------------------------------------------------------------

5) Philosophy

I'm really hopeful about the FULL-DISCLOSURE, because with that
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of programming (I have learn a bit of
C from the source code of some exploits) and it's useful for all the
people that are hopeful in this type of disclosure.
No secrets!

----------------------------------------------------------------------

Any type of feedback is really welcome!

Byez

Attachment: italian.zip
Description: Italian advisory

Previous By Date Next
Previous By Thread Next

Current thread: