[5421] in bugtraq
Re: WinNT syscalls insecurity
daemon@ATHENA.MIT.EDU (Solar Designer)
Tue Oct 21 18:45:35 1997
Date: Wed, 22 Oct 1997 00:54:28 +0300
Reply-To: Solar Designer <solar@FALSE.COM>
From: Solar Designer <solar@FALSE.COM>
X-To: David LeBlanc <dleblanc@mindspring.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.32.19971019142417.00abd250@mindspring.com> from "David
LeBlanc" at Oct 19, 97 02:24:19 pm
Hello!
> What patch level have you tested this under? Your results can very well
This was an unpatched version of NT, you're right. I'll check out SP3 when
I have some more spare time. I'm not using NT for any real work, it's just
fun for me to find out how various operating systems are implemented.
> vary depending on whether SP3+getadmin fixes were applied. Costin Rau
> (sp?) found a number of NtXXX calls which caused crashes if they were fed a
> 0xFFFFFFFF pointer, and all of these were fixed by the second attempt at
> the getadmin patch. Costin did a fairly extensive job of checking back in
> July.
The purpose of my message was to show that NT uses a bad approach to syscalls,
and dealing with parameters imported from user space. I'm told SP3 got many
particular bugs fixed. However, if NT used a better approach (the suggestions
at the end of my original message), these bugs would never appear. I don't
think that fixing particular bugs is the right thing to do: some will likely
remain.
> BTW, self-inflicted denial of service attacks aren't at the top of my list
> of evils. OTOH, if you were to find a way to set the NtGlobalFlag again,
> now _that_ would be interesting.
BTW, if a better approach to dealing with the pointers was used (like different
segment base addresses), GetAdmin would never appear. As for another GetAdmin,
I just wasn't looking for it yet.
Signed,
Solar Designer
