Microsoft C++ feature against buffer overflows itself vulnerable

From: Chris Ren (crenat_private)
Date: Thu Feb 14 2002 - 06:00:42 PST

Next message: NGSEC Research Team: "[NGSEC-2002-1] Ettercap, remote root compromise"

Previous message: dendlerat_private: "Astaro Security Linux Improper File Permissions Flaw"
Next in thread: David LeBlanc: "RE: Microsoft C++ feature against buffer overflows itself vulnerable"
Reply: David LeBlanc: "RE: Microsoft C++ feature against buffer overflows itself vulnerable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Microsoft added a new security feature to their latest C++ compiler, called
both Visual C++.Net and Visual C++ version 7 that  was released February
13th.  This security feature is meant to protect potentially vulnerable
source code automatically from  some forms of buffer overflow attack.  The
protection afforded by the new feature allows developers to continue to use
vulnerable string functions such as strcpy() as usual and still be
"protected" against some forms of stack smashing.  The new  feature is
closely based on an invention of Crispin Cowan's called StackGuard and is
meant to be used when creating standard  native code (not the new .NET
intermediate language, referred to as "managed code").

Note that the new feature is meant to protect any program compiled with the
"protected" compiler feature.  In other words,  the idea is that using this
feature should help developers build more secure software. However, in its
current form, the  Microsoft feature leads to a false sense of security
because it is easily defeated.  

Microsoft's feature includes the ability to set a "security error handler"
function to be called when a potential attack is  underway.  Because of the
way this was implemented, the Microsoft security feature is itself
vulnerable to attack.  An  attacker can craft a special-purpose attack
against a "protected" program, defeating the protection mechanism in a
straightforward way.  This kind of attack is not new.  See, for example,
Phrack 56 at http://www.phrack.org/show.php?p=56&a=5

There are several well known approaches not based on StackGuard that a
compiler-producer might use to defeat buffer overflow  attacks.  Microsoft
chose to adopt a weak solution rather than a more robust solution.  This is
a design-level flaw leading  to a very serious set of potential attacks
against code compiled with the new compiler.  The Microsoft compiler is thus
in  some sense a "vulnerability seeder".

More technical information about the flaw can be found at 
http://www.cigital.com/news/mscompiler-tech.html

Microsoft has been alerted to the flaw.

Chris Ren

Next message: NGSEC Research Team: "[NGSEC-2002-1] Ettercap, remote root compromise"
Previous message: dendlerat_private: "Astaro Security Linux Improper File Permissions Flaw"
Next in thread: David LeBlanc: "RE: Microsoft C++ feature against buffer overflows itself vulnerable"
Reply: David LeBlanc: "RE: Microsoft C++ feature against buffer overflows itself vulnerable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 09:59:23 PST