Dailydave mailing list archives
Gibson redux
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 13 Jan 2006 13:50:54 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I think what I decided was that you can get the size wrong and the thing will still work because it automatically calls Abort when it sees the zeros. But you can also trigger it by manually aborting after you call SetAbort. And the SetAbort thing itself will work when you give it the wrong length of data for the function - but it works better when you give it the right length. I think the original exploit had an invalid length there or something and everyone copied it cause it worked. At this point: Whatever. I think maybe if there was a backdoor in Windows, which there isn't because MS has shareholders and they'd get mighty pissed if there was, it would be cryptographicly strong. I.E. What's the point of a backdoor everyone can take advantage of? You'd need to be able to hook RSA or DSA routines from crypto.dll to do it right. - -dave *http://www.grc.com/sn/SN-022.htm Steve:* You know, that's crazy. But what's even more crazy is what it took for me to make it do this. As I said before, each record in a metafile begins with a four-byte length, followed by a two-byte function number. So in other words, each metafile record has six bytes minimum that it can possibly be in size. Oh, and since the size is in words, the smallest possible size for a metafile record would be three words long, or six bytes. Look, the reason I had problems making this exploit happen initially is I was setting the length correctly. It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn't trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one. *Leo:* And why were you experimenting? Isn't the exploit well known and documented, and isn't there exploit code floating around? *Steve:* No. I mean, what we've got, Leo, is a bunch of misunderstanding and sort of strange half explanations. I mean, you know, and frankly... *Leo:* So none of the hacker sites have exploit code up. *Steve:* Oh, no, many of them do. But no one is really looking - see, they don't care about how Windows is working. They just want to get their code to run. *Leo:* Right. *Steve:* And so, you know, because I'm a developer when I'm not being a hacker, I wanted to understand - oh, and the other thing is, I want to write a robust testing application, you know, that always works all the time. So I wanted to know, like, okay, what bytes have to be set which way, what matters, what doesn't. Because, you know, that's the way you get something that is as solid as, you know, the code that I put out from GRC. So what I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code. Okay, Leo? This was not a mistake. This is not buggy code. This was put into Windows by someone. We are never going to know who. We're never going to know - well, actually I'm going to find out when because we're going to know when this appeared because this appeared - I'm guessing this is not in older versions of Windows, which is why this function - or if it is in older versions of Windows, it's done slightly differently. I'm still on the hunt. So this is not my last report on this. I expect to have a much better sense for this a week from now. But the only conclusion I can draw is that there has been code from at least Windows 2000 on, and in all current versions, and even, you know, future versions, until it was discovered, which was deliberately put in there by some group, we don't know at what level or how large in Microsoft, that gave them the ability that they who knew how to get their Windows systems to silently and secretly run code contained in an image, those people would be able to do that on remotely located Windows machines... *Leo:* So you're saying intentionally or - Microsoft intentionally put a backdoor in Windows? Is that what you're saying? *Steve:* Yes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDx/aOB8JNm+PA+iURAkoSAJwPjpizdCyhHlpFjK2JIWe6r2w/pACfSGSS XqXP6TB9qIKxJUrBSvX667I= =WxsL -----END PGP SIGNATURE-----
Current thread:
- Gibson redux Dave Aitel (Jan 13)
- Re: Gibson redux Paul Wouters (Jan 13)
- Re: Gibson redux Barrie Dempster (Jan 13)
- Re: Gibson redux Blue Boar (Jan 13)