Re[4]: insecure signal handler design

From: dullienat_private
Date: Wed May 30 2001 - 15:57:27 PDT

  • Next message: Michal Zalewski: "Re: insecure signal handler design"

    Hey Joakim,
    
    JS> services f.ex. want to handle a crash or termination nicely by handling and
    JS> emptying
    JS> all log data for example.. this could be done using the same techniques as
    JS> in unix environments..
    JS> refering to signal(SIGTERM, sh) function and the handler.. I don't think
    JS> it's possible
    JS> to get SIGTERM messages or SIGABRT messages as window messages.. abnormal
    JS> termination messages etc.. My "guess" is that many services (w3svc, sql
    JS> server etc..) are
    JS> using exactly the same way of handling (un-expected program terminations
    JS> etc..) as unix is?
    JS> Am I right? Or is there another way of doing this in win32?
    
    Hrmm...services do register indivdual handlers for certain control
    messages that can be sent to the service:
    http://msdn.microsoft.com/library/psdk/winbase/services_3smw.htm
    Now the main point with a possible exploitation here is that AFAIK
    most (if not all) Win32 API functions are more or less multi-threading
    safe. A situation like Michael described where you can get two path's
    of execution racing to a malloc should not lead to any problems under
    NT as the RtlAllocateHeap() functions are designed to be reentrant and
    multithreading-safe.
    Nonetheless it would be interesting to see if a double execution of
    the same handler can be achieved by rapidly sending two control
    requests to a service...
    
    Cheers,
    dullienat_private
    



    This archive was generated by hypermail 2b30 : Thu May 31 2001 - 11:25:58 PDT