Re: Re[2]: insecure signal handler design

From: Ryan Permeh (ryanat_private)
Date: Wed May 30 2001 - 23:00:50 PDT

  • Next message: Matthew S. Hamrick: "Re: Security != Reliability - need flexible responses."

    there are certain types of handlers, but nost are thigns like ctrl-c
    handlers and stuff.  i'm not familaiar with a direct correlation to unix
    style signals in a win32 environment.  ipc happens, but almost all
    objects(kernel or userland) have the option of having a security desciptor
    associated with them, so you probably can protect against any odd situations
    if implemented (STOP PASSING NULL AS A SECURITY DESCRIPTOR ON SECURITY
    CONSCIOUS OBJECTS:).
    
    i've been looking at this attack and there are in fact ways of doing what
    you are talking about using termination handlers in Structured exception
    handling.  basically, when a proc is closing, threads are terminated, and
    stack handlers unroll.  all termination handlers should be called(i'm
    talking about __finally{} blocks).
    
    postmessage isn't really the same thing, directly, but perhaps
    TermiateProcess could be considered similar to sending a SIGTERM to a
    process, depending on how you use it.
    
    Signed,
    Ryan Permeh
    eEye Digital Security Team
    http://www.eEye.com/Retina -Network Security Scanner
    http://www.eEye.com/Iris -Network Traffic Analyzer
    
    ----- Original Message -----
    From: "Joakim Sandstrom" <jodeat_private>
    To: <dullienat_private>
    Cc: "Michal Zalewski" <lcamtufat_private>;
    <SECPROGat_private>; <SECPAPERSat_private>
    Sent: Wednesday, May 30, 2001 12:33 PM
    Subject: Re: Re[2]: insecure signal handler design
    
    
    > Ok,
    >
    > Hmms. Not exactly what I was thinking about. I'm not talking about
    > PostMessage
    > or SendMessage (Window messaging). But on signals as in unix. I'm sure
    allot
    > of
    > services f.ex. want to handle a crash or termination nicely by handling
    and
    > emptying
    > all log data for example.. this could be done using the same techniques as
    > in unix environments..
    > refering to signal(SIGTERM, sh) function and the handler.. I don't think
    > it's possible
    > to get SIGTERM messages or SIGABRT messages as window messages.. abnormal
    > termination messages etc.. My "guess" is that many services (w3svc, sql
    > server etc..) are
    > using exactly the same way of handling (un-expected program terminations
    > etc..) as unix is?
    > Am I right? Or is there another way of doing this in win32?
    >
    > /JODE
    >
    > ----- Original Message -----
    > From: <dullienat_private>
    > To: "Joakim Sandstrom" <jodeat_private>
    > Cc: "Michal Zalewski" <lcamtufat_private>;
    > <SECPROGat_private>; <SECPAPERSat_private>
    > Sent: Wednesday, May 30, 2001 9:13 PM
    > Subject: Re[2]: insecure signal handler design
    >
    >
    > >
    > > Hey there,
    > >
    > > JS> could be a way to do it?  My goal is to find out who is subscribing
    to
    > what
    > > JS> SIG. So it would be easier finding possible problems on win32 (yes
    > lucky you
    > > JS> who are playing on opensource) :). Night night..
    > >
    > > Correct me if I am wrong, but signal races should not be an issue
    > > under Win32. I am assuming now that UNIX signals have their direct
    > > equivalent in Win32 window messages. Please bear in mind that what I
    > > state here is what I --think-- not what I've tried.
    > > Since NT comes from Mach the signal/message sending is a bit more
    > > thought out than in the 'average' Unix.
    > > The distinction between SendMessage()/PostMessage() is that
    > > SendMessage() will directly call the signal handler -- which can only
    > > be done within one process address space. PostMessage() will put a
    > > message into the message queue and wait for the target process to
    > > _fetch_ it; to send messages to a foreign process you need to use
    > > PostMessage(). As it is only one thread that processes those signals,
    > > a signal race will not really be an issue if I am correct.
    > >
    > > What is a problem are services that do their IPC via Messages and
    > > which, for that reason, create invisible windows. If they trust the
    > > input they're getting (e.g. accept pointers or whatnot) there is a
    > > danger of privilege escalation.
    > >
    > > The direct race condition described in lcamtuf's (great) paper don't
    > > apply AFAIK.
    > >
    > > Cheers,
    > > dullienat_private
    > >
    >
    >
    



    This archive was generated by hypermail 2b30 : Thu May 31 2001 - 15:11:17 PDT