[28794] in bugtraq
Re: Preventing exploitation with rebasing
daemon@ATHENA.MIT.EDU (Alun Jones)
Wed Feb 5 18:27:56 2003
Message-Id: <4.3.2.7.2.20030205153143.01c64010@208.55.91.110>
Date: Wed, 05 Feb 2003 15:49:13 -0600
To: Charlie Root <weedpower@home.ro>
From: Alun Jones <alun@texis.com>
In-Reply-To: <3E3FA64A.1020302@home.ro>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 05:38 AM 2/4/2003, Charlie Root wrote:
>Rebasing might be usefull up to some point. But it contains a "mental"
>vulnerability. If one would apply this technique he would probably think
>he is safe and neglect updating his security. Oh, and one more thing...
>I'm not sure about this since I have little expirience in windows:
>security-patches don't relly on the same "genetic code" as exploits ? If
>one would rebase his entire system would he still be able to properly
>apply security patches ?
The worse problem, IMHO, is that rebasing executables and/or DLLs makes it
harder to report and fix any GPFs that do occur. If you report a GPF, it's
going to come out with an offset that doesn't represent the correct area of
code. Perhaps the Dr Watson log provides enough information for a savvy
developer to trace through and find where the _real_ address is in the base
code, but there's so little documentation on the information contained in a
Dr Watson log output, that most developers haven't the first clue of how to
find the function that's at fault, unless your addresses match theirs.
Alun.
~~~~
--
Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.
