![](/i/fill.gif) |
![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 16/01/2013 06:30 PM, Warp wrote:
> Francois Labreque<fla### [at] videotron ca> wrote:
>> Ex: One guy finds out that you can create specially crafted .BMP files
>> with a color palette that has 4294967297 (MAX_INT + 1) colors
>
> Given that the vast majority of image files have an exact amount of
> bytes reserved for the different sizes, I would like to see how you
> can put a value larger than what those bytes can express there.
There appears to be plenty of software that incorrectly treats various
size values as signed integers. (E.g., programs that malfunction on
files larger than 2GB because they think the file size has become
"negative".)
Personally, I blame C...
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 16/01/2013 11:59 AM, Kenneth wrote:
> Wow, it seems that security updates for various pieces of 'standard'
> Windows-related software are coming down fast and furious these days: Firefox,
> Java, Flash Player, Windows itself (well, my old XP version.) I'm getting one or
> the other of these on almost a daily basis. Cyber-criminals and spammers must be
> working overtime!
Just because a security flaw has been discovered, does not necessarily
imply that anybody has actually *exploited* it yet.
It could well just be the QA people doing code reviews and finding bugs
that way.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On Wed, 16 Jan 2013 21:23:27 +0000, Orchid Win7 v1 wrote:
> Personally, I blame C...
Seems more appropriate to blame programmer inexperience (or laziness)
than the language used.
Jim
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Orchid Win7 v1 <voi### [at] dev null> wrote:
> There appears to be plenty of software that incorrectly treats various
> size values as signed integers. (E.g., programs that malfunction on
> files larger than 2GB because they think the file size has become
> "negative".)
Can you give me a scenario where that produces a buffer overflow?
--
- Warp
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Orchid Win7 v1 <voi### [at] dev null> wrote:
>
> It could well just be the QA people doing code reviews and finding bugs
> that way.
Yeah, I'm thinking it's probably half and half: real security breaches; and
entities like Kaspersky Labs finding possible exploitable loopholes before the
fact.
BTW, I just got *another* Windows security update.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
> Francois Labreque <fla### [at] videotron ca> wrote:
>> Ex: One guy finds out that you can create specially crafted .BMP files
>> with a color palette that has 4294967297 (MAX_INT + 1) colors
>
> Given that the vast majority of image files have an exact amount of
> bytes reserved for the different sizes, I would like to see how you
> can put a value larger than what those bytes can express there.
>
Sorry, it was MAX_SIGNED_INT +1.
Of course, the file formats are usually strict enough, but they can't
prevent all problems.
http://technet.microsoft.com/en-us/security/bulletin/ms04-028
http://technet.microsoft.com/en-us/security/bulletin/ms08-052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0597
In the case of the BMP flaw, the leaked Windows 2000 source code showed
that the DLL was using a signed int to read an offset value that was
unsigned in the file format, so by crafting a special BMP file you would
have the DLL jump to a negative offset, and outside of the actual data
structure it was supposed to read. Now since GDI.DLL runs in ring 0 for
performance reasons, the fault was not caught and the program would
continue reading garbage, which in turn would cause a buffer overflow
and arbitrary code execution. Photoshop CS2 and CS3 were vulnerable to
this one, on top of all the MS applications that use GDI.DLL, so it
wasn't only shoddy programming on Microsoft's part.
I don't have the specifics on the JPG or PNG ones, but from the MITRE
descritpion, the JPG also used an improper cast in the DLL to achieve
its result. For the PNG vulnerability, it was a problem with libpng not
handling a variable field length properly.
I'm sure you know that there are many, many ways a programmer can screw up.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
> Orchid Win7 v1 <voi### [at] dev null> wrote:
>> There appears to be plenty of software that incorrectly treats various
>> size values as signed integers. (E.g., programs that malfunction on
>> files larger than 2GB because they think the file size has become
>> "negative".)
>
> Can you give me a scenario where that produces a buffer overflow?
>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2518
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0596
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0602
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0915
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3966
More at:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=BMP
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=JPG
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=PNG
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=MP3
Etc...
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
> On 16/01/2013 11:59 AM, Kenneth wrote:
>> Wow, it seems that security updates for various pieces of 'standard'
>> Windows-related software are coming down fast and furious these days:
>> Firefox,
>> Java, Flash Player, Windows itself (well, my old XP version.) I'm
>> getting one or
>> the other of these on almost a daily basis. Cyber-criminals and
>> spammers must be
>> working overtime!
>
> Just because a security flaw has been discovered, does not necessarily
> imply that anybody has actually *exploited* it yet.
>
> It could well just be the QA people doing code reviews and finding bugs
> that way.
QA people? You mean the one guy in India who quit last month and can't
be replaced because there's a hiring freeze because the 3rd quarter
results weren't good enough?
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Francois Labreque <fla### [at] videotron ca> wrote:
> > Orchid Win7 v1 <voi### [at] dev null> wrote:
> >> There appears to be plenty of software that incorrectly treats various
> >> size values as signed integers. (E.g., programs that malfunction on
> >> files larger than 2GB because they think the file size has become
> >> "negative".)
> >
> > Can you give me a scenario where that produces a buffer overflow?
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0894
That didn't really answer my question.
--
- Warp
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Francois Labreque <fla### [at] videotron ca> wrote:
> In the case of the BMP flaw, the leaked Windows 2000 source code showed
> that the DLL was using a signed int to read an offset value that was
> unsigned in the file format, so by crafting a special BMP file you would
> have the DLL jump to a negative offset, and outside of the actual data
> structure it was supposed to read.
In 2's complement representation MAX_INT+1 has the exact same bits in
both signed and unsigned forms. How do you get outside the array with
that value?
(I suppose that if you use a signed *long* in a 64-bit system where longs
are 64-bit, then expanding a signed 32-bit int to such a signed 64-bit long
will result in the wrong value. But was that the case here?)
--
- Warp
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |