###################################################################### Application: Lcc-win32 (http://www.cs.virginia.edu/~lcc-win32/) Version: ALL and next too (bug ONLY on Win9x/Me, NOT other Windows version) (see Fix section for detail) Bug: Part of computer memory are inserted after the import table of the executables created with Lcc. Risk: Possible diffusion of personal informations. The parts of memory copied in the exe can be pieces of files, system and users informations and any other thing. Author: Auriemma Luigi (e-mail: bugtestat_private) ###################################################################### Sections: 1) Introduction 2) Bug 3) The Code 4) Fix 5) Philosophy ---------------------------------------------------------------------- 1) Introduction Lcc is a really an excellent and very diffused free C compiler for Win32. It also contain a good IDE (Wedit) for create or continue projects simply. For example I use it for compile everything written in C and also for the proof-of-concept programs in attachment to my advisories (eh eh you can imagine my face when I have find this bug and I have thought to all the code I have diffused before...). ---------------------------------------------------------------------- 2) Bug As I have said in the header of my advisory, the bug is reproduceable ONLY on Windows 9x/Me. When Lcc compile a source code it insert some bytes (overlay) after the import table. Normally these bytes could be all zeros, but is not so in Win9x/Me. Then not all our executables will be filled with parts of memory and this seems caused by the size of the resulted exe (not sure). For example if in a source code that don't reproduce the bug we insert or delete some lines of code, when we will recompile it we will see that now it contain other bytes instead of the normal 0x00 bytes. This is a simple example: example.c ----------- #include <stdio.h> int main(void) { printf("Lcc bug\n"); return(0); } ----------- If we compile this little code we will see that after the import table there are some bytes (just after CTRDLL.DLL and some '@') that are different each time we compile it. This means that we can found part of other files, part of the source code or part of it in assembly, system and users infos, random pieces of memory and other. For example in some of my executables I have found a file with some e-mail addresses of my friends, informations about my system and also a piece of a bug report I have written some days before! Take a look to example.exe compiled on my machine: 0000b30: 3040 0043 5254 444c 4c2e 444c 4c00 0014 0@.CRTDLL.DLL... 0000b40: 3040 0014 3040 0014 3040 0014 3040 0014 0@..0@..0@..0@.. 0000b50: 3040 003d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 0@.============= 0000b60: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d ================ 0000b70: 3d3d 3d0a 4946 2045 5849 5354 206a 6574 ===.IF EXIST jet 0000b80: 7479 656e 762e 6261 7420 4341 4c4c 206a tyenv.bat CALL j 0000b90: 6574 7479 656e 762e 6261 740a 0a72 656d ettyenv.bat..rem 0000ba0: 203d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d =============== 0000bb0: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d ================ 0000bc0: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d ================ 0000bd0: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 0a72 656d ============.rem 0000be0: 203d 3d20 6368 6563 6b20 666f 7220 4a41 == check for JA 0000bf0: 5641 5f48 4f4d 4520 656e 7600 0000 0020 VA_HOME env.... 0000c00: 0000 0000 0000 0020 0000 0000 1000 0000 ....... ........ 0000c10: 1400 0000 2000 0000 2400 00 .... ...$.. The bytes after the last "0@." are exactly the same bytes of the file jetty.bat, a batch file of a Java web-server!!! ---------------------------------------------------------------------- 3) The Code Watch the bytes after the import table of the executables compiled with Lcc. ---------------------------------------------------------------------- 4) Fix The author of Lcc have said to me that this is a problem of the operating systems that I have listed before because they don't clear well the memory, so no official patch exist. However it is very simple to erase this problem. You can manually delete, overwrite or check this unuseful bytes or do it automatically using utilities that strip Windows PE executables. My choice is for FileScanner. This excellent free utility, that do a lot of useful and interesting things, can also reduce the file size and delete these unuseful and "anti-privacy" bytes. The homepage of FS is http://smf.chat.ru/ You can download it directly from http://smf.chat.ru/files/fs.zip So for fix your applications compiled with Lcc, you can simply use: fs -se file.exe ---------------------------------------------------------------------- 5) Philosophy I'm really hopeful about the FULL-DISCLOSURE, because with that "everyone" can know the real effects of an attack, the real danger of a bug, someone can learn a bit of programming (I have learn a bit of C from the source code of some exploits) and it's useful for all the people that are hopeful in this type of disclosure. No secrets! ---------------------------------------------------------------------- Any type of feedback is really welcome! Byez
This archive was generated by hypermail 2b30 : Fri Aug 02 2002 - 12:16:40 PDT