Gibson redux

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


So I think what I decided was that you can get the size wrong and the
thing will still work because it automatically calls Abort when it
sees the zeros. But you can also trigger it by manually aborting after
you call SetAbort. And the SetAbort thing itself will work when you
give it the wrong length of data for the function - but it works
better when you give it the right length. I think the original exploit
had an invalid length there or something and everyone copied it cause
it worked. At this point: Whatever.


I think maybe if there was a backdoor in Windows, which there isn't
because MS has shareholders and they'd get mighty pissed if there was,
it would be cryptographicly strong. I.E. What's the point of a
backdoor everyone can take advantage of? You'd need to be able to hook
RSA or DSA routines from crypto.dll to do it right.


- -dave


*http://www.grc.com/sn/SN-022.htm


Steve:* You know, that's crazy. But what's even more crazy is what it
took for me to make it do this. As I said before, each record in a
metafile begins with a four-byte length, followed by a two-byte
function number. So in other words, each metafile record has six bytes
minimum that it can possibly be in size. Oh, and since the size is in
words, the smallest possible size for a metafile record would be three
words long, or six bytes. Look, the reason I had problems making this
exploit happen initially is I was setting the length correctly. It
turns out that the only way to get Windows to misbehave in this
bizarre fashion is to set the length to one, which is an impossible
value. I tried setting it to zero. It didn't trigger the exploit. I
tried setting it to two, no effect. Three, no effect. Nothing, not
even the correct length. Only one.

*Leo:* And why were you experimenting? Isn't the exploit well known
and documented, and isn't there exploit code floating around?

*Steve:* No. I mean, what we've got, Leo, is a bunch of
misunderstanding and sort of strange half explanations. I mean, you
know, and frankly...

*Leo:* So none of the hacker sites have exploit code up.

*Steve:* Oh, no, many of them do. But no one is really looking - see,
they don't care about how Windows is working. They just want to get
their code to run.

*Leo:* Right.

*Steve:* And so, you know, because I'm a developer when I'm not being
a hacker, I wanted to understand - oh, and the other thing is, I want
to write a robust testing application, you know, that always works all
the time. So I wanted to know, like, okay, what bytes have to be set
which way, what matters, what doesn't. Because, you know, that's the
way you get something that is as solid as, you know, the code that I
put out from GRC. So what I found was that, when I deliberately lied
about the size of this record and set the size to one and no other
value, and I gave this particular byte sequence that makes no sense
for a metafile, then Windows created a thread and jumped into my code,
began executing my code. Okay, Leo? This was not a mistake. This is
not buggy code. This was put into Windows by someone. We are never
going to know who. We're never going to know - well, actually I'm
going to find out when because we're going to know when this appeared
because this appeared - I'm guessing this is not in older versions of
Windows, which is why this function - or if it is in older versions of
Windows, it's done slightly differently. I'm still on the hunt.

So this is not my last report on this. I expect to have a much better
sense for this a week from now. But the only conclusion I can draw is
that there has been code from at least Windows 2000 on, and in all
current versions, and even, you know, future versions, until it was
discovered, which was deliberately put in there by some group, we
don't know at what level or how large in Microsoft, that gave them the
ability that they who knew how to get their Windows systems to
silently and secretly run code contained in an image, those people
would be able to do that on remotely located Windows machines...

*Leo:* So you're saying intentionally or - Microsoft intentionally put
a backdoor in Windows? Is that what you're saying?

*Steve:* Yes.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDx/aOB8JNm+PA+iURAkoSAJwPjpizdCyhHlpFjK2JIWe6r2w/pACfSGSS
XqXP6TB9qIKxJUrBSvX667I=
=WxsL
-----END PGP SIGNATURE-----