OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: ActiveX Buffer Overruns and BSTR's

Re: ActiveX Buffer Overruns and BSTR's


Aviram Jenik (aviramJENIK.COM)
Wed, 6 Oct 1999 21:38:08 +0200


----- Original Message -----
From: "Scott, Richard" <Richard.ScottBESTBUY.COM>
To: <BUGTRAQSECURITYFOCUS.COM>
Sent: Wednesday, October 06, 1999 5:10 PM
Subject: Re: ActiveX Buffer Overruns and BSTR's

> As my understanding goes, a BSTR is simply a 32bit pointer to a
> character array?
>
> ...
>
> It's just that COM wraps all the pointer stuff and just lets us get
> on with the more interesting stuff,
> I am sure that a buffer overflow could occur, whether it could be
> used for a breech of security is something that may need further research
in
> to.
>

Yes, but that would be an implementation flaw in COM. What we were
discussing here is whether or not it's possible to overflow buffers under
*normal* circumstances.
Although COM uses pointers in the underlying implementation, you only have
access to it before and after the wrapping is done. This means that if COM
wrapped the BSTR correctly (which is what we're assuming right now) the
overflow can only occur when you extract the BSTR into a smaller buffer. I
believe you have to be pretty stupid to do that (BSTR includes its own size,
for gods sake).

-------------------------
Aviram Jenik

"Addicted to Chaos"

-------------------------
Today's quote:

- Real programmers think structured programming is a communist
  plot.



This archive was generated by hypermail 2.0b3 on Fri Oct 08 1999 - 15:30:48 CDT