[12150] in bugtraq
Re: ActiveX Buffer Overruns and BSTR's
daemon@ATHENA.MIT.EDU (Scott, Richard)
Wed Oct 6 15:42:19 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <F74E89C7EA1DD31186E900805FA79930013272F4@cs02mail.bestbuy.com>
Date: Wed, 6 Oct 1999 10:10:05 -0500
Reply-To: "Scott, Richard" <Richard.Scott@BESTBUY.COM>
From: "Scott, Richard" <Richard.Scott@BESTBUY.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
<snip snip>
The most common way of passing parameters in ActiveX controls is
through
BSTRs, which include the size of the string in their first
character.
There's no way to overflow a BSTR. The buffer overflows you
discovered arise
from a situation where the programmer extracted the buffer from the
BSTR,
and put it into a simple character array of the form: char[256],
without
bothering to check if the fixed size of the character array is large
enough
to hold the string. The COM architecture has nothing to do with this
buffer
overflow (on the contrary: it makes it very difficult for
programmers to
create buffer overflows. But I guess some are talented enough to
bypass this
difficulty ;-) )
-------------------------
Aviram Jenik
As my understanding goes, a BSTR is simply a 32bit pointer to a
character array?
The pointer points to the character array, in which the character
array holds the length and the string it self. Sure using COM wrappers in
may not be able to perform a buffer overflow.
But what happens if you could set the pointer to write to the
beginning of the array and change the size.
That way when you perform a BSTR or _bstr_t method on the object,
you could in theory create a buffer overflow problem.
It's just that COM wraps all the pointer stuff and just lets us get
on with the more interesting stuff,
I am sure that a buffer overflow could occur, whether it could be
used for a breech of security is something that may need further research in
to.
What COM does is hide the intrinsic nature of pointers for strings.
So not using them, obviously can "prevent" an overflow. However, I would
not bet my last i386 processor on it!
Richard Scott
(I.S.) E-Commerce Team
*Tel: 001-(612)-995-5432
* Fax: 001-(612)-947-2005
* Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA
This '|' is not a pipe
