there are certain types of handlers, but nost are thigns like ctrl-c
handlers and stuff. i'm not familaiar with a direct correlation to unix
style signals in a win32 environment. ipc happens, but almost all
objects(kernel or userland) have the option of having a security desciptor
associated with them, so you probably can protect against any odd situations
if implemented (STOP PASSING NULL AS A SECURITY DESCRIPTOR ON SECURITY
CONSCIOUS OBJECTS:).

i've been looking at this attack and there are in fact ways of doing what
you are talking about using termination handlers in Structured exception
handling. basically, when a proc is closing, threads are terminated, and
stack handlers unroll. all termination handlers should be called(i'm
talking about __finally{} blocks).

postmessage isn't really the same thing, directly, but perhaps
TermiateProcess could be considered similar to sending a SIGTERM to a
process, depending on how you use it.

Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: "Joakim Sandstrom" <jodetribalstorm.com>
To: <dulliengmx.de>
Cc: "Michal Zalewski" <lcamtufbos.bindview.com>;
<SECPROGSECURITYFOCUS.COM>; <SECPAPERSSECURITYFOCUS.COM>
Sent: Wednesday, May 30, 2001 12:33 PM
Subject: Re: Re[2]: insecure signal handler design

> Ok,
>
> Hmms. Not exactly what I was thinking about. I'm not talking about
> PostMessage
> or SendMessage (Window messaging). But on signals as in unix. I'm sure
allot
> of
> services f.ex. want to handle a crash or termination nicely by handling
and
> emptying
> all log data for example.. this could be done using the same techniques as
> in unix environments..
> refering to signal(SIGTERM, sh) function and the handler.. I don't think
> it's possible
> to get SIGTERM messages or SIGABRT messages as window messages.. abnormal
> termination messages etc.. My "guess" is that many services (w3svc, sql
> server etc..) are
> using exactly the same way of handling (un-expected program terminations
> etc..) as unix is?
> Am I right? Or is there another way of doing this in win32?
>
> /JODE
>
> ----- Original Message -----
> From: <dulliengmx.de>
> To: "Joakim Sandstrom" <jodetribalstorm.com>
> Cc: "Michal Zalewski" <lcamtufbos.bindview.com>;
> <SECPROGSECURITYFOCUS.COM>; <SECPAPERSSECURITYFOCUS.COM>
> Sent: Wednesday, May 30, 2001 9:13 PM
> Subject: Re[2]: insecure signal handler design
>
>
> >
> > Hey there,
> >
> > JS> could be a way to do it? My goal is to find out who is subscribing
to
> what
> > JS> SIG. So it would be easier finding possible problems on win32 (yes
> lucky you
> > JS> who are playing on opensource) :). Night night..
> >
> > Correct me if I am wrong, but signal races should not be an issue
> > under Win32. I am assuming now that UNIX signals have their direct
> > equivalent in Win32 window messages. Please bear in mind that what I
> > state here is what I --think-- not what I've tried.
> > Since NT comes from Mach the signal/message sending is a bit more
> > thought out than in the 'average' Unix.
> > The distinction between SendMessage()/PostMessage() is that
> > SendMessage() will directly call the signal handler -- which can only
> > be done within one process address space. PostMessage() will put a
> > message into the message queue and wait for the target process to
> > _fetch_ it; to send messages to a foreign process you need to use
> > PostMessage(). As it is only one thread that processes those signals,
> > a signal race will not really be an issue if I am correct.
> >
> > What is a problem are services that do their IPC via Messages and
> > which, for that reason, create invisible windows. If they trust the
> > input they're getting (e.g. accept pointers or whatnot) there is a
> > danger of privilege escalation.
> >
> > The direct race condition described in lcamtuf's (great) paper don't
> > apply AFAIK.
> >
> > Cheers,
> > dulliengmx.de
> >
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]