Redirection:
http://evilcodecave.blogspot.com/2009/09/avast-aswmon2sys-kernel-memory.html
Regards,
Giuseppe ‘Evilcry’ Bonfa’
Avast aswMon2.sys kernel memory corruption and Local Privilege Escalation
September 23, 2009
Leave a Comment » | 
(In)Security, Driver Coding | Tagged: aswMon2.sys, Avast, Blue Screen, BSOD, bug, Device Driver, DoS, local privilege escalation, Vulnerability | 
Permalink
Posted by evilcodecave
TheGreenBow IPSec VPN Client tgbvpn.sys patch released
September 14, 2009
Leave a Comment » | (In)Security | Tagged: Driver, local dos, patch released, tgbvpn.sys, Vulnerability | Permalink
Posted by evilcodecave
TheGreenBow VPN Client tgbvpn.sys DoS and Potential Local Privilege Escalation Vulnerability.
August 17, 2009Hi,
Redirection:
http://evilcodecave.blogspot.com/2009/08/thegreenbow-vpn-client-tgbvpnsys-dos.html
Regards,
Giuseppe ‘Evilcry’ Bonfa’
Leave a Comment » | (In)Security, Driver Coding, Reverse Code Engineering | Tagged: bug, DoS, Potential Local Privilege Escalation, tgbvpn.sys, TheGreenBow, VPN Client, Vulnerability | Permalink
Posted by evilcodecave
Software Design Errors at the Borderline with Bugs
April 6, 2008Hi there,
Today I’m going to write some my personal opinion about common Software Design Errors, that does not imply necessarly a Security Bug, but cause their Hybrid Nature could be placed at the borderline between a common Code Design Error.
The first basical and common error at the roots of a Design Error, or in the worst case of a Bug is the Input Validation, that became also the first Target to Attack, by generating in a first attempt Large Volume of Data to be received by the Software.
As you can imagine, the first Design Error is to Allow arbitrary lengths into File Formats or in every kind of interface disposed to received Data.
During time I’ve discovered some basical incongruences of well known applications, such ad in Visual Studio..
Visual Studio project file have a proprietary format, and are divided into various files: .sln, .user, .vcproj, .manifest
Each of this files has a particular structure, let’s see sln file format:
#Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project(“{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}”) = “NAME”, “PATH\PATH.vcproj”, “{17F30F81-3A72-40F0-85D5-9871C740B026}”
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{17F30F81-3A72-40F0-85D5-9871C740B026}.Debug|Win32.ActiveCfg = Debug|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
The directive Project(“{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}”) = “NAME”, “PATH\PATH.vcproj” and the fields Name and Path are totally unchecked, so an “attacker” can build evil versions of sln files by filling the Name field with large amounts of Data.
The result is a Memory Corruption Exploit, so as we have seen this Design Error became an effective bug..
Let’s see now .vcproj, that is an XML file which contains informations about compiling and linking options..
<VisualStudioProject
ProjectType=”Visual C++”
Version=”8,00″
Name=”NAME”
ProjectGUID=”{17F30F81-3A72-40F0-85D5-9871C740B026}”
RootNamespace=”MyNameSpace”
Keyword=”Win32Proj”
Also in this case Fields: Name, ProjectType, RootNamespace and Keyword are unchecked about the length aspect and checked about the Alowed Chars..
So an “attacker” can generate large ammounts of data which lead to Memory Consumpion, this is also valid for other fields of vcproj, such as
<Tool>
Name=”VCPreBuildEventTool”
Optimization=”0″
PreprocessorDefinitions=”WIN32;_DEBUG;_WINDOWS”
MinimalRebuild=”true”
BasicRuntimeChecks=”3″
RuntimeLibrary=”3″
UsePrecompiledHeader=”0″
WarningLevel=”3″
Detect64BitPortabilityProblems=”true”
DebugInformationFormat=”4″
<Tool/>
Same problem for .user files
<DebugSettings
Command=”$(TargetPath)”
WorkingDirectory=””
CommandArguments=””
Attach=”false”
DebuggerType=”3″
Remote=”1″
RemoteMachine=”ITX-C7″
RemoteMachine Field has unchecked length so big amounts of data, could block VisualStudio.
In the same way, an famous HTML Editor, 1stPage2000 could be easly crashed (due to an Heap Overflow) by producing large tags or large amounts of nidifications..
Is not necessary for an application like VS or 1stPage to allow so large names, should be better to avoid risks by ceching every length that should be manipulated..
See you to the next post.. ๐
Leave a Comment » | (In)Security | Tagged: 1stPage Bug, Heap Overflow, Memory Consumption, Software Design Errors, Vulnerability | Permalink
Posted by evilcodecave
Attacking MultiCore CPUs
September 25, 2007Recently was published an intersting Security Flaw and realtuย for MultiCore CPUs, here you can find a generic Overview, and here a more Detailed descryption of the Vulnerability ๐
See you to the next post! ๐
Leave a Comment » | (In)Security | Tagged: CPU, Exploit, Flaw, MultiCore, Security, Vulnerability, Weakness | Permalink
Posted by evilcodecave
Evilcodecave's Weblog 