Slashdot Mirror

← Back to Stories (view on slashdot.org)

XP/Vista IGMP Buffer Overflow — Explained

Posted by kdawson on from the that-didn't-take-long dept.

HalvarFlake writes "With all the hoopla about the remotely exploitable, kernel-level buffer overflow discussed in today's security bulletin MS08-0001, what is the actual bug that triggers this? The bulletin doesn't give all that much information. This movie (Flash required) goes through the process of examining the 'pre-patch' version of tcpip.sys and comparing it against the 'post-patch' version of tcpip.sys. This comparison yields the actual code that causes the overflow: A mistake in the calculation of the required size in a dynamic allocation."

12 of 208 comments (clear)

  1. Let's get the preliminary stuff out of the way... by The+Master+Control+P · · Score: 3, Interesting

    Lol MS sux0rz! ph34r my 1337 h4x!1one

    Everyone should be forced to give up manual memory allocation regardless of the power it can afford.

    #include "fucktard_troll.h"

    Now that that's done with, I see things like this as an argument in favor of moving stuff off of the CPU and into dedicated hardware. Why should your CPU be tied up with things at this level? The absolutely overwhelming majority of all data on every network uses one of two network layer protocols (IPv4 or IPv6) and one of two transport layer protocols (TCP or UDP). Why shouldn't those four combinations be handled by hardware, so we can leave the computer to run the applications? We already do this with 3d rendering, why not networking?

  2. Re:Windows is open-sores software by totally+bogus+dude · · Score: 4, Interesting

    The difference is that if it was FOSS, they'd be able to see the comment saying "// this doesn't match the specs but it worked for me in the test I did, so the specs must be wrong."

  3. Re:Sounds like HowStuffWorks material! by primadd · · Score: 4, Interesting

    In case you dont know Halvar Flake, he is a master at reverse engeneering and recently gave a talk at bluehat
    short audio clip with halvar explaining how he analyzes ms patches for differences

    -- bookmark me

  4. Re:Let's get the preliminary stuff out of the way. by The+Master+Control+P · · Score: 3, Interesting

    I'm so looking forward to reconfigurable hardware; that'll make the whole argument moot. The CPU as we know it will do nothing but setup reconfigurable logic units and direct data streams. You want hardware networking? Bam. Hardware complex math? Bam. Hardware neural net? Bam.

  5. you BINARY PATCH core OS code??? by r00t · · Score: 2, Interesting

    Woah...

    Now, don't get me wrong. I think that's a really cool hack. I admire the effort.

    Seriously though, WTF? That's a rootkit technique. Changes of this nature should be made to source code, not binaries. It's way more maintainable and sustainable that way.

    1. Re:you BINARY PATCH core OS code??? by Anonymous Coward · · Score: 1, Interesting

      Changes of this nature should be made to source code, not binaries. It's way more maintainable and sustainable that way.


      I think the problem with this is that he's using the "Microsoft Windows" operating. This is made by a company called "Microsoft" and not only do most users not get the source code, but Microsoft also tries to block redistribution of fixed versions even though that's the only way to get rid if certain bugs (e.g. the WGA and DRM bugs which causes many problems to users of Windows)

      If you don't know Microsoft Windows, it's kind of interesting theoretically (in some versions it was close to a micro-kernel and was the first operating system to use Unicode in the Kernel) but probably not something you want to bother with yourself. Early versions were sort of derived from CP/M via QDOS but later it was rewritten based on VMS. This gives you a theoretically powerful system, but one which is too complex for most of the people who try to use it and so they have interesting security problems. Windows doesn't come with much software by default and doesn't support yum, apt or even a ports system so most users end up installing binary softwares from unknown sources which just adds to the problem. Definitely not recommended even to play with unless you have tens of years of experience in system administration; but if you do, it can be an even more interesting challenge than trying to run entirely on plan 9.

  6. Re:Windows is open-sores software by kevmatic · · Score: 2, Interesting

    Oh, sure, because traversing dozens of lines of "Mov EAX,$4B456E5" and whatever is comparable looking at original source code. Disassembling is a pretty poor for this sort of thing; you really need to start with it narrowed down, like this guy did by diffing it. Most of the time you'll be looking at whole executables if you want to do something like this..

    Also, though its educational purposes are undeniable and it certainly is interesting to say the least, what good is it? It can only be used to make one or two minor changes or a single bugfix after hours of work. Even then its a license violation.

    There's lots of good reasons to have close source software, but saying that something like this invalidates one of OSS's biggest advantages is incorrect, regardless of your closed/open leanings.

  7. Re:Windows is open-sores software by Hal_Porter · · Score: 2, Interesting

    I dunno about that. That assumes the original programmer knew the code was incomplete. Most of the time code has sat around for ages and been looked at by hundreds of people without anyone thinking about a situation where it would fail. Admittedly it's a lot easier to fix code if you have the source code, but it doesn't make it any easier to spot bugs. Whover said "many eyeballs make all bugs shallow" has never worked for a company with thousands of developers building real time systems. Maybe it's true of Perl scripts and the like.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  8. Re:Why Windows 95 and NT 4 are enough by Anonymous Coward · · Score: 4, Interesting
    > I don't plan to upgrade from Windows 95, NT 3.51, and NT 4 on the desktop. With network booting, Windows 95/NT do everything I need for user workstations.

    (Not the original AC.)

    "Bluto's right. Psychotic, but absolutely right."
    - Otter, Animal House

    OK, so Win9x wasn't a real OS. It had no security model. That was its unfixable weakness (instability), but that was also part of its salvation.

    No network-aware services listening out of the box? No remote-unattended exploits!

    And when/if something broke due to the instability - even something as bad as "registry corrupted - don't even fantasize about getting your GUI back", you just booted to DOS, extracted a "good" version of the reigstry from the last five copies in .cab files in C:\WINDOWS\SYSBCKUP, typed a few "ATTRIB" commands (i.e. chmodded it to be writable) and overwrote the "bad" user.dat and system.dat with ones that worked.

    The 9x UI wasn't any better/worse than XP or Vista. How many of us took one look at XP's Fisher-Price interface and immediately "downgraded" it to the Win2K look?

    Boot speed? My last gaming rig was a Pentium IV, 2.4 GHz, running at 3.2 GHz, 512MB RAM and a 120GB drive, and the fucking thing went from power-on to full-GUI-running-and-no-hard-drive-activity in 15 seconds. There were configuration files you could edit to support 1GB and (by replacing/patching WINDOWS\SYSTEM\IOSUBSYS\ESDI_506.PDR) hard drives over 128GB.

    Once upon a time, Linux wasn't ready for the desktop. During those years, Win9x rocked. Crappy multi-user OS? Guilty as charged. Useless for a server? Absolutely. But as a single user OS/program-loader, it was hard to beat. DRM? Product activation? What's that?

  9. Re:Why Windows 95 and NT 4 are enough by Nursie · · Score: 4, Interesting

    "(I have one Win 95B station at my desk just to do drive data recovery and to do a few file tasks that XP doesn't want to let you do...)
    "

    Why?
    Seriously, what can it do that XP can't? I'm interested.

    File tasks are usually (IMHO) much better donw under Linux, which doesn't try to stop you doing anything.

  10. Re:Why Windows 95 and NT 4 are enough by peragrin · · Score: 4, Interesting

    I don't know about him but the workstations at my work run either win 95 or if your lucky win 98se.

    Why because with the NT line MSFT broke a lot of other companies networking protocols. So we wouldn't be able to connect to the server, which stores all files and applications.(The win95 machines being not much more than dumb terminals). Windows XP won't work as said server company never made a proper upgrade path for such a configuration. Linux might, but I would need an old school netware guru, and someone with enough knowledge of linux to configure netware inside linux but also Dosbox. As all the applications are Dos based. when this setup was first deployed Linux was at 0.9 something.

    Then you have to figure out how to sell it to a computer illiterate cheapskate boss.

    --
    i thought once I was found, but it was only a dream.
  11. Re:Yup, I do that by Anonymous Coward · · Score: 1, Interesting

    OK, so the poor artists (and engineers, etc) will starve because nobody is buying their product any more, so I can't see that being allowed.

    Actually, that's a pretty good point. The only way to continue employing hundreds of millions of people, each of which can do the work to support dozens if not more, is to convince everyone that they need to buy the output of hundreds of millions of other people.

    Otherwise, 1/10th of the population would have jobs, whose income would go entirely to pay welfare to support the other 9/10th, and even if you say "well, let the useless 9/10th die", the population would just contract, and you'd still only need to employ 1/10th of the population, until you reach the point where places like New York have evaporated into a small hamlet.