[8499] in bugtraq

home help back first fref pref prev next nref lref last post

Re: xlock mishandles malformed .signature/.plan

daemon@ATHENA.MIT.EDU (tschweik@FIDUCIA.DE)
Wed Nov 11 12:49:53 1998

Date: 	Wed, 11 Nov 1998 09:48:08 +0100
Reply-To: tschweik@FIDUCIA.DE
From: tschweik@FIDUCIA.DE
To: BUGTRAQ@NETSPACE.ORG

Jochen Thomas Bauer wrote:

[...]
> there
> may be some more "scenarios", depending on the
architecture/compiler/options
> combination used to compile xlock, so the question is if there is any
> combination of architecture/compiler/options that will produce code
> that contains a security hole.
[...]

I have found two compilers generating security holes this way:

- Microwerks CodeWarrior for Macintosh
- ORCA/C for GS/OS (Apple IIgs)
- various microcontroller compilers

CodeWarrior generates, with optimizations enabled, a program that simply
crashes, while overwriting a byte of program stack.

ORCA/C isn't capable of handling negative indexes. There might be some more
compilers out there not able handling negative indexes (I pointed this out
to the list, but my mail didn't get trough):

ANSI-C doesn't tell how a compiler has to handle negative indexes. They may
be handled as you expect, -1 is one less than the pointer or they may be
handled like pointer + max. unsigned int which turns out to be pointer +
65535. In reality this depends on the capabilities of your hardware. If
indexing is possible with one byte it is pointer + 255. If four byte it is
pointer + (2^32)-1. The byte really accessed depends on how wide your
address bus is. If index-with and address-bus-width match nothing will be
wrong. If not (index size is smaller) pray! On some CPU this might be more
complex as described here, depending on CPU mode. Wraparound may occur at
segment boundaries or similar odd things...!

ORCA/C will therefor overwrite a byte offset 65535 bytes from pointer. In
most cases this doesn't have any immediate effect, but some time later (you
might have the malicious program finished already) the system crashes.

Most Microcontroller C-Compilers allocate string space not directly on
stack. They allocate memory leaving only a pointer to it on stack, cause of
low stack space. Some of these Compilers may fiddle with negative indexes
correctly (as one would expect), some don't, some generate runtime errors
instead.

All possible to, at least, DoS attacks.

--
Thomas Schweikle <tschweik@fiducia.de>


PS.: ORCA/C was once built for the Apple IIgs operating system GS/OS. Does
anyone fiddle with it anymore? Maybe using GNO/ME environment with it?

home help back first fref pref prev next nref lref last post