OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1997: Re: WinNT syscalls insecurity

Re: WinNT syscalls insecurity

David LeBlanc (dleblancMINDSPRING.COM)
Sun, 19 Oct 1997 14:24:19 -0400 

At 04:02 AM 10/19/97 -0300, Solar Designer wrote:

[snip interesting stuff]

>This makes me think many syscalls won't process invalid parameters correctly
>(that is, just set NT status and exit). Some will likely crash the system. I
>suspect a program doing random syscalls with random parameters would crash
>the system quite fast, should try some day. ;^)

This is exactly what ntcrash by Russinovich (and the other guy whose name
escapes me at the moment) did about a year ago.  They fixed most of this in
SP1 or SP2.

>Here goes the NtCreateProcess exploit, compile with Cygwin32, the GCC port:

What patch level have you tested this under?  Your results can very well
vary depending on whether SP3+getadmin fixes were applied.  Costin Rau
(sp?) found a number of NtXXX calls which caused crashes if they were fed a
0xFFFFFFFF pointer, and all of these were fixed by the second attempt at
the getadmin patch.  Costin did a fairly extensive job of checking back in
July.

If you conducted this under an unpatched version of NT, then you may want
to apply latest patches and look again.  If you were at full patches, it
looks to me like they have a few more to clean up.

BTW, self-inflicted denial of service attacks aren't at the top of my list
of evils.  OTOH, if you were to find a way to set the NtGlobalFlag again,
now _that_ would be interesting.


David LeBlanc           |Why would you want to have your desktop user,
dleblancmindspring.com |your mere mortals, messing around with a 32-bit
                        |minicomputer-class computing environment?
                        |Scott McNealy